|
3some
Haagse Harry



Registered: 04/20/20
Posts: 278
Last seen: 2 months, 7 days
|
Do you think some government agency owns some of the VPN out there?
#27076469 - 12/07/20 02:10 AM (3 years, 1 month ago) |
|
|
I know this sounds like paranoia but what we try so hard to stay anonymous might actually be the thing that gives us away.
Imagine this. All the VPN users are either commercial interest trying to protect their business interest, Netflix users trying to see what's available the other side of the pond, or people who has a reason for trying to stay invisible. That's self selective group if you ask me. Captive market?
-------------------- Ask me about growing yeast, mold and bacteria. I'm very experienced. The first post any newbie should read even before acquiring spores: Pastywhyte's Principles of mushroom growing for beginners
|
Study The CNS
Anecdotal Subtext


Registered: 11/17/20
Posts: 1,588
Loc: Mexico
|
Re: Do you think some government agency owns some of the VPN out there? [Re: 3some] 1
#27078233 - 12/08/20 06:01 AM (3 years, 1 month ago) |
|
|
Quote:
Do you think some government agency owns some of the VPN out there?
Guaranteed.
|
Anonymous #1
|
Re: Do you think some government agency owns some of the VPN out there? [Re: 3some]
#27085214 - 12/12/20 08:14 AM (3 years, 1 month ago) |
|
|
Quote:
3some said: I know this sounds like paranoia but what we try so hard to stay anonymous might actually be the thing that gives us away.
Imagine this. All the VPN users are either commercial interest trying to protect their business interest, Netflix users trying to see what's available the other side of the pond, or people who has a reason for trying to stay invisible. That's self selective group if you ask me. Captive market?
I am sure various security agencies run various VPN's. There are also some out there that are run by cool people. But they don't have to be in on it, the government can sniff the traffic in and out, and if they aren't introducing random delay, it's easy to see whose inbound traffic is connected to which outbound traffic.
Same with tor - they can't see what you are doing, but they can see that you are using it. They probably don't care though, unless you are using it at work on the work internet.
VPN's aren't designed for great security. They are fine if you are buying drugs, and would probably even protect people who sell drugs, trade child porn or send bomb threats, assuming they don't keep logs that can be subpoenaed.
But if you are going to hack the pentagon or organize a terrorist attack you'll need something more secure. A long range wifi antenna pointed at a public hotspot could be very difficult indeed (probably impossible) even for the NSA to track you down - as long as you use random MAC addresses and never use the same hotspot twice.
When I was breaking into computers what I would do is hack various computers in various continents, modify them so they don't keep logs, and bounce through them in random order. If you have a lot of them (like a botnet with many thousands), the chance of you being able to be traced is 0%.
|
Narrator
Strangest in the night



Registered: 11/30/20
Posts: 187
Last seen: 1 year, 5 months
|
Re: Do you think some government agency owns some of the VPN out there? [Re: 3some]
#27104469 - 12/23/20 04:23 PM (3 years, 1 month ago) |
|
|
If the VPN doesn't keep logs how could anyone tell how you had used the VPN?
Are you saying you're paranoid the VPNs are The Man?
Every cop already knows a street where they can go and make as many arrests as they have time for. Fishing for possible criminals by sifting through big data seems an unnecessary step.
|
Anonymous #1
|
Re: Do you think some government agency owns some of the VPN out there? [Re: Narrator]
#27105081 - 12/24/20 12:19 AM (3 years, 1 month ago) |
|
|
Quote:
Narrator said: If the VPN doesn't keep logs how could anyone tell how you had used the VPN?
The packets coming in and leaving the VPN can be logged, often by places upstream of the VPN. By analyzing the timing of the packets coming in with the packets going out, the two data streams can be correlated.
Quote:
Are you saying you're paranoid the VPNs are The Man?
Paranoid no, but they are almost certainly.
Quote:
Every cop already knows a street where they can go and make as many arrests as they have time for. Fishing for possible criminals by sifting through big data seems an unnecessary step.
It wouldn't be used for mass arrests.
|
Narrator
Strangest in the night



Registered: 11/30/20
Posts: 187
Last seen: 1 year, 5 months
|
Re: Do you think some government agency owns some of the VPN out there? [Re: Anonymous #1]
#27106355 - 12/24/20 06:53 PM (3 years, 1 month ago) |
|
|
Quote:
Anonymous #1 said: It wouldn't be used for mass arrests.
I'm skeptical but walk me through what you think is happening.
|
wabbey
hey there



Registered: 12/12/14
Posts: 541
Loc: milky way-earth-new zealand
|
Re: Do you think some government agency owns some of the VPN out there? [Re: Narrator]
#27165677 - 01/23/21 03:38 PM (3 years, 4 days ago) |
|
|
i wouldn't be surprised
|
fungusul
Fungus Kingdom


Registered: 07/16/20
Posts: 1,028
|
Re: Do you think some government agency owns some of the VPN out there? [Re: wabbey] 1
#27169679 - 01/25/21 06:29 PM (3 years, 2 days ago) |
|
|
Assume that most of the VPN providers would cooperate with different agencies and keep logs. To mitigate this risk it's always a good idea to chain them and combine them with tor(known as tor over VPN). It might not be worth the effort, but that depends on your threat model.
A good source of information would be privacy tools io. Here are the vpn providers.
|
3some
Haagse Harry



Registered: 04/20/20
Posts: 278
Last seen: 2 months, 7 days
|
Re: Do you think some government agency owns some of the VPN out there? [Re: fungusul]
#27172124 - 01/27/21 02:07 AM (3 years, 19 hours ago) |
|
|
Quote:
fungusul said: Assume that most of the VPN providers would cooperate with different agencies and keep logs. To mitigate this risk it's always a good idea to chain them and combine them with tor(known as tor over VPN). It might not be worth the effort, but that depends on your threat model.
A good source of information would be privacy tools io. Here are the vpn providers.
I read somewhere that using VPN and TOR together is counterproductive.
-------------------- Ask me about growing yeast, mold and bacteria. I'm very experienced. The first post any newbie should read even before acquiring spores: Pastywhyte's Principles of mushroom growing for beginners
|
Anonymous #1
|
Re: Do you think some government agency owns some of the VPN out there? [Re: 3some] 1
#27172202 - 01/27/21 04:06 AM (3 years, 17 hours ago) |
|
|
Quote:
3some said: I read somewhere that using VPN and TOR together is counterproductive.
Why would that be?
|
nektar61
Into SporePlay



Registered: 07/04/20
Posts: 3,241
Loc: Cube Satellite
Last seen: 7 days, 17 hours
|
Re: Do you think some government agency owns some of the VPN out there? [Re: 3some]
#27172371 - 01/27/21 07:51 AM (3 years, 14 hours ago) |
|
|
Especially the free ones.
-------------------- -NEW? Start here.
|
fungusul
Fungus Kingdom


Registered: 07/16/20
Posts: 1,028
|
Re: Do you think some government agency owns some of the VPN out there? [Re: nektar61] 2
#27172861 - 01/27/21 12:26 PM (3 years, 9 hours ago) |
|
|
Using vpn and tor adds an extra layer of protection. Please note that recommended combination is tor-over-vpn and not vpn-over-tor.
Connect first to a vpn and then connect to tor. Using vpn prevents the tor entry node from seeing your ISP address, so in case your tor traffic is de-anonymized, then your ISP address is still protected. With other words, your traffic goes laptop-->ISP-->VPN-->TOR-->Internet.
The easiest way to achieve this configuration, is to configure your router to route all traffic using a trusted VPN provider and on your laptop to open a tor browser. If you really want another layer of protection, you can always install another trusted vpn on your laptop, but that would be an overkill.
|
nektar61
Into SporePlay



Registered: 07/04/20
Posts: 3,241
Loc: Cube Satellite
Last seen: 7 days, 17 hours
|
Re: Do you think some government agency owns some of the VPN out there? [Re: fungusul] 1
#27174018 - 01/28/21 04:45 AM (2 years, 11 months ago) |
|
|
Quote:
fungusul said: Using vpn and tor adds an extra layer of protection. Please note that recommended combination is tor-over-vpn and not vpn-over-tor.
Connect first to a vpn and then connect to tor. Using vpn prevents the tor entry node from seeing your ISP address, so in case your tor traffic is de-anonymized, then your ISP address is still protected. With other words, your traffic goes laptop-->ISP-->VPN-->TOR-->Internet.
The easiest way to achieve this configuration, is to configure your router to route all traffic using a trusted VPN provider and on your laptop to open a tor browser. If you really want another layer of protection, you can always install another trusted vpn on your laptop, but that would be an overkill.
all true.
I would add that if you use the VPN on router for all traffic, don't use that also for traffic that is IDed to your name, like Gmail, twitter, facebook, tiktok, etc.
A lot of people who use VPNs don't understand that. You, fungusul, obviously do, but I'm posting this for people new to privacy.
Best of all is to have a separate computer you use only for stuff you don't want connected to your name. Hopefully running Linux, and kept up to date.
There's another reason it's good to have the VPN before Tor, to keep your ISP from knowing you use Tor.
ISPs rat out people with odd internet use, and Tor is more rare and more suspect than a VPN.
I would guess at least half of people under 40 use a VPN now. I think Tor use is far less than that, and a VPN seems less suspect than a VPN to the people who keep track of other people's internet use.
-------------------- -NEW? Start here.
|
polaritymind
relaxed attention


Registered: 10/10/16
Posts: 994
Loc: Germany
Last seen: 3 months, 7 days
|
Re: Do you think some government agency owns some of the VPN out there? [Re: nektar61] 1
#27174076 - 01/28/21 06:19 AM (2 years, 11 months ago) |
|
|
I have had this thought too. When people say use TOR with VPN I thought, well doesnt that totally defeat the purpose of TOR and deanonymizes me completely, at least to the VPN company? I dont know the technical details, whether they can also see *what* I am doing through TOR or only that I am. I also wonder about this if its a govenment owned VPN. I really like using them, but I fear especially the free VPNs might be. As a general rule, nothings free in life, like with facebook you pay with your data or attention (ads). Same would go for torrenting over VPN, which is not prosecuted that much though luckily. I know people who got busted for it though. I always blamed their internet provider, since others torrenting even more with other providers never got busted.
-------------------- "to affirm life is to also affirm death" -Albert hofmann
|
polaritymind
relaxed attention


Registered: 10/10/16
Posts: 994
Loc: Germany
Last seen: 3 months, 7 days
|
Re: Do you think some government agency owns some of the VPN out there? [Re: 3some]
#27174077 - 01/28/21 06:21 AM (2 years, 11 months ago) |
|
|
Quote:
3some said:
Quote:
fungusul said: Assume that most of the VPN providers would cooperate with different agencies and keep logs. To mitigate this risk it's always a good idea to chain them and combine them with tor(known as tor over VPN). It might not be worth the effort, but that depends on your threat model.
A good source of information would be privacy tools io. Here are the vpn providers.
I read somewhere that using VPN and TOR together is counterproductive.
elaborate/explain please?
-------------------- "to affirm life is to also affirm death" -Albert hofmann
|
LemonTekno
Stranger
Registered: 08/22/20
Posts: 121
|
Re: Do you think some government agency owns some of the VPN out there? [Re: polaritymind] 2
#27174598 - 01/28/21 01:19 PM (2 years, 11 months ago) |
|
|
From the linked resource:
Quote:
Should I use Tor and a VPN?
By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides 0 additional benefit to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. Read more about Tor bridges and why using a VPN is not necessary.
https://www.privacytools.io/providers/vpn/#info
|
fungusul
Fungus Kingdom


Registered: 07/16/20
Posts: 1,028
|
Re: Do you think some government agency owns some of the VPN out there? [Re: LemonTekno] 1
#27175266 - 01/28/21 09:02 PM (2 years, 11 months ago) |
|
|
Tor bridges are used to hide tor traffic as normal traffic(using a regular protocol) in a country where vpn and tor are blocked.
The inherit problem with tor is that you don't know who is running bridges/exit/entry points in the tor network. Somebody controlling enough of the entry/exit nodes and having enough analytics resources, could do a traffic correlation and identify you.
Choosing a trusted vpn(not in 5-eyes countries) ensures that the cost of going after your ip address is getting higher. To increase that cost, you can chain 2-3 vpn providers. If a vpn provider is in a country not willing to cooperate, then nothing can force their hand, only the local authorities.
Paying a vpn provider using bitcoins/cash breaks the money link.
By using a vpn, you are in control of the entry point.
|
Anonyman2021
Psilcybin Advocate


Registered: 02/08/21
Posts: 129
|
Re: Do you think some government agency owns some of the VPN out there? [Re: fungusul] 1
#27194578 - 02/09/21 12:13 AM (2 years, 11 months ago) |
|
|
Yes, the FBI ran a VPN on a carding forum before 'CarderPlanet' "A VPN FOR Carders By carders" it was actually logging everything ran by FBI.
You should assume every person is a Fed, and every computer is hacked or ran by the NSA.
Encrypt everything, Chain/Nest anonymity systems, and you'll be better off.
VPN + Tor etc
-------------------- Hi, this Shroomery account is about telling an honest truth about my personal experiences with Psilocybin Mushrooms, their role in my life, and their medicial benefits, supported by scientific studies. Also, I am advocating for Psilocybin Mushroom Decriminilization in the USA and Internationally, using Scientific Studies and Historical data, and personal accounts stories to detail the safety and medicinal and personal benefit of consuming Psilocybin Mushrooms. Feel free to PM about any mushroom or computer security related topic, I study CyberSecurity, Anonymity and Privacy Technology professionally.
|
junk_f00d


Registered: 12/04/15
Posts: 933
Last seen: 1 year, 2 months
|
Re: Do you think some government agency owns some of the VPN out there? [Re: fungusul]
#27205449 - 02/14/21 12:34 PM (2 years, 11 months ago) |
|
|
Quote:
Narrator said: If the VPN doesn't keep logs how could anyone tell how you had used the VPN?
All VPNs must log to some extent, or they couldn't provide customer service, debug, or a million other things.
Quote:
fungusul said: Assume that most of the VPN providers would cooperate with different agencies and keep logs. To mitigate this risk it's always a good idea to chain them and combine them with tor(known as tor over VPN). It might not be worth the effort, but that depends on your threat model.
A good source of information would be privacy tools io. Here are the vpn providers.
Why chain them if they can't be trusted in the first place? It's just a wider surface area of vectors and potential snoopers then.
Quote:
fungusul said: Using vpn and tor adds an extra layer of protection. Please note that recommended combination is tor-over-vpn and not vpn-over-tor.
Connect first to a vpn and then connect to tor. Using vpn prevents the tor entry node from seeing your ISP address, so in case your tor traffic is de-anonymized, then your ISP address is still protected. With other words, your traffic goes laptop-->ISP-->VPN-->TOR-->Internet.
My problem with this argument is that even if the first entry node having your IP was an issue (and it's not, if you disagree please explain), is that with a VPN you're still in the same situation, except now they have your VPNs IP. It's no different, so the argument doesn't hold water.
Quote:
fungusul said: The inherit problem with tor is that you don't know who is running bridges/exit/entry points in the tor network. Somebody controlling enough of the entry/exit nodes and having enough analytics resources, could do a traffic correlation and identify you.
If this was a realistic issue, Tor wouldn't work. There has not been a single documented case of someone being identified in this manner. If this were possible, they would not waste that surprise on a mushroom grower. That card would be saved for some international level shit.
~~~~~~~
I think the only potential benefit of a VPN (for Tor use) is to blend is as more normal traffic on your home network and that your VPN may be less likely to look into Tor traffic. Like with sterile work, extra steps generally introduce vectors, and I believe a VPN does the same.
|
fungusul
Fungus Kingdom


Registered: 07/16/20
Posts: 1,028
|
Re: Do you think some government agency owns some of the VPN out there? [Re: junk_f00d]
#27206224 - 02/14/21 07:52 PM (2 years, 11 months ago) |
|
|
Depends very much on what they log. A reputable privacy VPN would not keep logs, and if they keep them for a short period of time to identify issues, the logs could not be used to identify an user because they are not containing by design such information. Good VPN providers allows you to pay in an anonymous way.
Chaining VPN providers increases the cost of finding your IP address. Assuming tor was compromised, an attacker needs to find, starting with tor entry node, one by one, information about each VPN node, correlate in time the information about multiple shared IP addresses. The IP addresses for each VPN provider are coming from a shared pooled, so your IP address is shared between multiple users at different moments in time. This investigation takes time, money, and a cooperative VPN provider(without attacker needs to subpoena). More than 3 VPN providers is not practical because of speed. Also remember that, your tor browser encrypts the packages in an onion encrypted fashion(3 layers of encryption, first node knows to extract the first onion layer, second the second layer, third the third layer), so the traffic cannot be snooped by your VPN providers.
You don't need to trust them with your personal information, they know nothing about you if you payed for their services using anonymous method payments like bitcoin/monero/cash. Of course if you pay them with a credit card or any traceable money, there is no point using more than one.
Your internet provider knows where you live and it's from the same country as you. Most of the time they are happy to spy on you even without getting an official request.
A VPN provider can be from a different continent with no relationship with your country. Most of the time, they have no interest in spying on you unless they are a honeypot or they have received an official request.
The point of using a VPN is to anonymize your entry point to the internet because you can pay for it in an anonymous way.
If you are a target of NSA or other agencies, stay off the internet. If you are a happy shroomer you are probably OK without any chaining
|
stubb
Dahg Rastubfari


Registered: 03/23/19
Posts: 1,310
Loc: Memory
|
Re: Do you think some government agency owns some of the VPN out there? [Re: fungusul]
#27206255 - 02/14/21 08:04 PM (2 years, 11 months ago) |
|
|
--------------------
🆃🄴🅰🄼 🅲🄻🅸🄽🅶🅆🆁🄰🅿 You wake up. The room is spinning very gently round your head. Or at least it would be if you could see it which you can't. It is pitch black. > TURN ON LIGHT
|
junk_f00d


Registered: 12/04/15
Posts: 933
Last seen: 1 year, 2 months
|
Re: Do you think some government agency owns some of the VPN out there? [Re: fungusul]
#27206512 - 02/14/21 11:32 PM (2 years, 11 months ago) |
|
|
Quote:
fungusul said: Depends very much on what they log. A reputable privacy VPN would not keep logs, and if they keep them for a short period of time to identify issues, the logs could not be used to identify an user because they are not containing by design such information. Good VPN providers allows you to pay in an anonymous way.
"Reputable", along with internal issues like data lifespan, are trust based claims made by VPN salesmen and are vectors.
Quote:
Chaining VPN providers increases the cost of finding your IP address. Assuming tor was compromised, an attacker needs to find, starting with tor entry node, one by one, information about each VPN node, correlate in time the information about multiple shared IP addresses. The IP addresses for each VPN provider are coming from a shared pooled, so your IP address is shared between multiple users at different moments in time. This investigation takes time, money, and a cooperative VPN provider(without attacker needs to subpoena). More than 3 VPN providers is not practical because of speed.
I understand you're speaking hypothetically, but there is no reason to assume "Tor is comprised"; long before that, in any hypothetical, your VPN would be (see links below). And if you're being personally targeted, I have a hard time imagining budget issues being on the list of governmental concerns. Chaining VPN providers also creates incredibly unique traffic and more points of failure. There are more Tor users at any given time than users of a particular VPN service.
Quote:
You don't need to trust them with your personal information, they know nothing about you if you payed for their services using anonymous method payments like bitcoin/monero/cash. Of course if you pay them with a credit card or any traceable money, there is no point using more than one.
This is an example of a VPN being a vector, not an asset
Quote:
The point of using a VPN is to anonymize your entry point to the internet because you can pay for it in an anonymous way.
Or you can use Tor and not pay anything and have no ties to this entry point. Also it is non-trivial, actually quite complicated, to truly anonymously acquire a VPN. This step is chock full of vectors, and if not done properly you lose all the supposed advantages.
Quote:
If you are a target of NSA or other agencies, stay off the internet.
True! Realistically, if you're threat model is personal targetting by govt agencies you're not going to hide for long. Fortunately, all we need to worry about as shroom growers, in terms of online traffic, is the dragnet IMO, not personal targeting.
Ultimately, for our use case, I see no merits in a VPN given that bridges exist. In other words, the downside of Tor that's being presented is that your ISP "might report you". But I've never heard of this leading to an investigation or even increased snooping by LE. In fact, I've never even actually heard of this occurring at all. Comcast, one of the largest internet providers, actually actively encourages the use of Tor, for example. Until it is demonstrated to me that Tor usage alone may contribute to my demise, I don't see the purpose of a VPN personally (at least in the states), and this decision saves me a bit of money as well. A VPN is just a misdirection, an inconvenience. I would rely on inconveniences in my OpSec.
I've been using Tor somewhat regularly for almost ten years now, I've never had black sedans parked outside my house or anything lol. No letters in the mail, nothing. That being the case, I struggle to see what a VPN offers me. If I had one of these fabled hostile ISPs, though, I would probably look toward a Tor bridge before a VPN.
Quote:
If you are a happy shroomer you are probably OK without any chaining 
"A chain is only as strong as its weakest link" :-)
This post is just my unqualified opinion of course, and I'm admittedly a bit of a Tor purist and think some backlash against the VPN industry is fair (note that Tor is a non-profit, open source project; it isn't motivated by profits). In all practicality, it's not as though Tor-over-VPN is gonna be what gets OP busted, but I wanted to point that just straight Tor is perfectly fine, and can in some sense be considered better.
I do see the merits in a VPN for stuff like torrenting, where I'm very much just trying to sidestep my ISP, and not relying on it for security, privacy or anonymity. Essentially, I believe you should not rely on a VPN or proxy as any part in your plan for security, privacy or anonymity (VPNs were not designed for these applications), but do think they have utility in the same way proxies do.
Tor over VPN versus Tor: https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN https://2019.www.torproject.org/docs/faq.html.en#IsTorLikeAVPN https://outline.com/yXm2LJ ; https://security.stackexchange.com/a/125008
and some anti-VPN propaganda  https://gist.github.com/joepie91/5a9909939e6ce7d09e29 https://www.bleepingcomputer.com/news/security/cyberstalking-suspect-arrested-after-vpn-providers-shared-logs-with-the-fbi/ https://www.zdnet.com/article/more-privacy-busting-bugs-found-in-popular-vpn-services/ https://thehackernews.com/2018/03/vpn-leak-ip-address.html https://www.deepdotweb.com/2018/02/27/hotspot-shield-vpn-leaking-users-data-location/
Edited by junk_f00d (02/15/21 12:05 PM)
|
fungusul
Fungus Kingdom


Registered: 07/16/20
Posts: 1,028
|
Re: Do you think some government agency owns some of the VPN out there? [Re: junk_f00d]
#27207382 - 02/15/21 12:46 PM (2 years, 11 months ago) |
|
|
In my opinion, users should think in layers and compartmentalization about security and privacy. You should not trust a single layer to protect you, and to have a single point of failure. In this particular case, all the trust goes to the tor software.
It's known that there is no software without bugs, or zero days exploits. Some of the bugs are not fixed for longer period of time or never found because they are never reported. Just look at the list of known issues for tor. As you've mentioned, gov would not use a zero day exploit on a non target.
Don't get me wrong, I love and use tor software since it was created, but I always acknowledge that any software can fail you and you should be prepared for that.
Most of the users get de-anonymized when using tor because they have not read the instruction manual on what not to do when using tor. Some of the common issues are: - using an older version of tor - skipping pgp signature check before they install tor - checking into online personal accounts like fb, twitter, email, etc - visiting web sites that perform code injection of malware on your computer - opening documents that call home - changing tor defaults without understanding ...
There are VPNs and VPNs. Most of the stories you read in news about them are coming from either their competitors or govt propaganda. Those are the VPNs which most of the people use for their netflix or other blocking issues.
There are also privacy VPNs. Look at trusted VPNs by community, that have audits and they are respected. Do you fully trust them, probably no, but they are not your average/consumer VPN provider. The privacy io community has detailed the criteria for choosing a VPN, what to look for.
About Comcast, a google search: - they were caught injecting tracking headers - comcast spying on users
Other ISP providers like Verizon are using super cookies. This super cookie is injected into your headers and you can be tracked cross websites.
Why would anybody trust their ISP provider not to spy on them? They can make lot of money selling your internet habits. I choose to not trust them, consider them to a dumb pipe.
|
junk_f00d


Registered: 12/04/15
Posts: 933
Last seen: 1 year, 2 months
|
Re: Do you think some government agency owns some of the VPN out there? [Re: fungusul]
#27207443 - 02/15/21 01:19 PM (2 years, 11 months ago) |
|
|
*It is worth noting that the issues you've posted don't compromise the integrity of Tor, for example "dark mode not working" is an irrelevant issue.
The fact that bad opsec is what leads to failure, not Tor, is my point. If Tor didn't work, they'd be busting people by their Tor usage, but this doesn't happen. Opsec is the most common failure point no matter what, and that's part of the reason more components can be dangerous as it's more points to screw up on.
By increasing the amount of software used, you're increasing the points of failure. A VPN ultimately offers no concrete benefit in the way Tor does, but instead only creates thin layers of misdirection at best, and critical flaws at worst. To quote the stack exchange link I posted earlier:
Quote:
One of the core tenets of building secure systems is that you minimise the attack surface, and resist additional components and features wherever possible to keep in line with this. As such, if one cannot identify a strong reason to include a component in the system, and quantify that reason against the threat model, the additional component should not be included. This question is worded in a way that assumes that the VPN provides some benefit, and that removing it is what should be questioned, when in fact the inverse is true: the correct question should be whether adding a VPN layer to Tor provides any tangible benefit.
This theme of minimizing attack surface and resisting additional components is consistent throughout the field of computer security. I understand not wanting to trust a single layer to protect you, but adding layers that are more easily compromised isn't good practice and can, and does, lead to failure. If you have a solid core that's robust against your threat models, I don't see a reason to add potential vulnerabilities.
Also, viewing Tor as a "single layer" is a bit misleading. Yes it's one software bundle/organization, but calling it a "single layer" produces inaccurate connotations IMO. It is a system that's made for exactly what we're trying to do, it's called "The Onion Router" because it relies on many layers, like an onion. So it is only a "single layer" in that these layers have been prepackaged for you, like an onion.
A VPN is like a sticky note on the onion that says "not an onion".
Quote:
Most of the stories you read in news about them are coming from either their competitors or govt propaganda
If you're going to make a claim this, I'm going to ask that you provide proof and be more specific. What "stories" are you talking about? Even if the stories I posted were fabricated, they are perfectly possible and that's enough to dissuade me. On the contrary, the VPN industry is propped up massively by VPN companies selling false promises of increased security and making impossible claims like "0 logs". The theme of this thread, ironically, is gov't owned VPNs, and it's not impossible that some VPNs may be in bed with the govt as an attempt to catch those naively relying on them for security.
I don't want to look at "trusted VPNs" because I don't want to rely on trust at any point in my process.
And I wasn't at all intending to imply Comcast is great, lol. Your links aren't relevant to ISPs promoting, dissuading or reporting Tor usage. My point was that ISPs aren't necessarily "reporting Tor usage" and that therefore Tor usage isn't leading to increased surveillance of the user. There simply isn't enough man power to do something like that, and I've never heard of Tor usage actually leading to increased surveillance, but I'd be interested in knowing if I've missed something like that. I would probably look into obfuscating my Tor traffic with bridges or methods if this has actually happened before.
anyway, I don't trust my ISP either, that's why I use Tor. Not sure what your point is about bashing IPs, I was never saying I like them or anything. This is about the merits of VPNs from the perspective of mushroom growers. I think the utility of a VPN ends as a proxy, and would prefer a Tor bridge or some similar solution over a VPN, but that's just me. I do think it should be noted that a VPN should not be depended on for security, privacy or anonymity in the way Tor can be and is. And I wanted to post my thoughts for other readers so they don't make the mistake of depending on a VPN for the purposes beyond obfuscation, as happens frequently and quality discussion on this topic is good for any forum, even (especially) if we disagree.

For any readers in the future, computerphile has some interesting videos on Tor that provide a high level overview of how it works:
Edited by junk_f00d (02/15/21 02:04 PM)
|
fungusul
Fungus Kingdom


Registered: 07/16/20
Posts: 1,028
|
Re: Do you think some government agency owns some of the VPN out there? [Re: junk_f00d]
#27208435 - 02/15/21 09:36 PM (2 years, 11 months ago) |
|
|
Using tor-over-vpn doesn't increase the attack surface. First the attacker needs to de-anonymize tor traffic, find your entry point, learn that you are using a specific VPN, and later launch an attack(or subpoena) on the VPN provider. Attacker cannot attack a VPN provider before knowing the tor entry point. Without any VPN in the middle, attacker goes straight to your ISP.
As a side note, connecting to VPN provider using OpenVPN on an router running open source and routing all traffic though it, with a kill switch, provides an extra security layer that protects user against some of the mistakes. Installing VPN client software on your workstation increases the attack surface.
While the tor onion model uses encryption to hide the traffic between nodes and obscures the identity of nodes, an attacker using traffic confirmation can identify a user without breaking tor's encryption. Sometimes, the attacker only needs to prove that it was you when an website/server was accessed. Using a VPN makes traffic confirmation more resource intensive because it acts like a mixer.
More to read on traffic correlation on https://blog.torproject.org/traffic-correlation-using-netflows?page=1.
There are a lot of articles discussing tor anonymity:
https://securityaffairs.co/wordpress/30202/hacking/tor-traffic-analysis-attack.html https://restoreprivacy.com/tor/ https://blog.torproject.org/thoughts-and-concerns-about-operation-onymous
but they shouldn't discourage people from using tor. More people using tor, the better.
For shroomers interested in anonymity and privacy this is a good podcast created by a former FBI investigator https://www.inteltechniques.com/podcast.html.
Tor is the best tool for anonymity on the internet when used properly. It's not perfect, but way better than other alternatives.
|
junk_f00d


Registered: 12/04/15
Posts: 933
Last seen: 1 year, 2 months
|
Re: Do you think some government agency owns some of the VPN out there? [Re: fungusul]
#27208563 - 02/15/21 10:38 PM (2 years, 11 months ago) |
|
|
Quote:
fungusul said: Using tor-over-vpn doesn't increase the attack surface.
By definition, it does; the (attackable) surface area of your system has grown. Importantly, in the US at least, ISPs are granted common carrier rights, VPNs are not. Another example:
Quote:
by connecting to a VPN you usually have routing rules which send LAN traffic through the VPN. This means that non-Tor data (e.g. NetBIOS, WINS discovery packets, DNS, OS / application update queries, etc.) might get sent through that same VPN channel, resulting in a log of your Tor and non-Tor behaviour occurring at the same time through the same endpoint.
and
Quote:
if you're connected to some open WiFi somewhere (e.g. a cafe) you're then potentially tying your identity (from the VPN billing details) to your location, and the fact that you're using a VPN plus Tor. Not ideal if you're a journalist in an oppressive state, or a drugs trafficker trying to keep himself hidden.
those are examples of attack surface increasing and opsec errors becoming more probable (both taken from the stack exchange link).
Quote:
First the attacker needs to de-anonymize tor traffic, find your entry point, learn that you are using a specific VPN, and later launch an attack(or subpoena) on the VPN provider. Attacker cannot attack a VPN provider before knowing the tor entry point. Without any VPN in the middle, attacker goes straight to your ISP.
This is an odd hypothetical. Number one, if they've de-anonymize Tor they'd see your entry point as the VPN immediately. Number two, no one has been incriminated in this manner, and if the nation state has committed to such an attack, subpoenaing your VPN(s) will be a non-issue. Lastly, your ISP can see the IP of your VPN server as well. As said above, ISPs have greater legal right than VPNs, but we shouldn't be relying on such fragile things at any rate. I dont see what utility the VPN is providing in this case, anyway.
Quote:
While the tor onion model uses encryption to hide the traffic between nodes and obscures the identity of nodes, an attacker using traffic confirmation can identify a user without breaking tor's encryption. Sometimes, the attacker only needs to prove that it was you when an website/server was accessed. Using a VPN makes traffic confirmation more resource intensive because it acts like a mixer.
This is silly IMO. Tor says right on their website they can't do anything about traffic confirmation nor do they try to.Yes, there are attacks able to be executed on Tor, but this has never lead to anyone's arrest. These attacks are largely academic and struggle with the issues of scale that occur "in the field" (especially traffic confirmation, where both exit and entry nodes are monitored - that's extremely unrealistic, hence the silliness) outside of lab settings and Onion Routing was specifically designed to be robust against traffic correlation attacks.
I don't know what you mean about a VPN making traffic confirmation more difficult. If traffic confirmation is occuring Tor is not a reasonable tool to use. The fact that Tor works implies traffic confirmation isn’t occurring. This is also supported by it being unprecedented in court (to my knowledge)
The question is "how does a VPN help in this scenario"? We're both depending on Tor critically, but you believe a VPN adds value to your stack, while I don’t. I still struggle to see the value proposal here and am concerned about the problems it brings to my current usage of Tor alone.
Edited by junk_f00d (02/16/21 09:26 AM)
|
fungusul
Fungus Kingdom


Registered: 07/16/20
Posts: 1,028
|
Re: Do you think some government agency owns some of the VPN out there? [Re: junk_f00d]
#27209401 - 02/16/21 01:01 PM (2 years, 11 months ago) |
|
|
As you've mentioned, using more software increases the total attack surface area, I don't disagree with that. A system composed from multiple layers(compartments) has multiple attack surfaces. However, this is an oversimplification, since VPN and TOR are on different compartments, they belong to different attack surfaces. Adding VPN, doesn't increase the attack surface of the first compartment composed by TOR, in my opinion.
It's probably easier to see this separation of compartments when running a system like Whonix(https://www.whonix.org/). Whonix wiki describes how to use a VPN with TOR(https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor#Introduction) though they don't necessarily recommend unless specific use cases.
Whonix are also describing the risks of using a VPN before TOR, so they agree with you See "VPN Tunnel Risks" section(https://www.whonix.org/wiki/Tunnels/Introduction#Connecting_to_a_Tunnel-link_.28Proxy.2FVPN.2FSSH.29_before_Tor.
This is a very hot debate on benefits of using tunnel before or after TOR and the community is split. We aren't going to find a solution for this issue, but it's a good discussion for members that want to learn more.
An example of increasing TOR attack surface is installing Firefox add-ons, which they run on your local machine, and increase your fingerprint.
Quote:
by connecting to a VPN you usually have routing rules which send LAN traffic through the VPN. This means that non-Tor data (e.g. NetBIOS, WINS discovery packets, DNS, OS / application update queries, etc.) might get sent through that same VPN channel, resulting in a log of your Tor and non-Tor behaviour occurring at the same time through the same endpoint.
Yes, all your traffic goes thorough VPN, but this is no different than going through ISP. I choose to trust VPN over ISP. However, you can choose for your DNS requests to use VPN's DNS servers(recommended because they appear to be on the same location as your exit point, prevent dns kleaks) or to use the ones you like(hopefully not the ISP ones).
Quote:
This is an odd hypothetical. Number one, if they've de-anonymize Tor they'd see your entry point as the VPN immediately. Number two, no one has been incriminated in this manner, and if the nation state has committed to such an attack, subpoenaing your VPN(s) will be a non-issue. Lastly, your ISP can see the IP of your VPN server as well. As said above, ISPs have greater legal right than VPNs, but we shouldn't be relying on such fragile things at any rate. I dont see what utility the VPN is providing in this case, anyway.
See this case for de-anonymizing tor users: https://www.techtimes.com/articles/200592/20170307/fbi-drops-child-pornography-case-to-avoid-disclosing-tor-vulnerability.htm. This event happened in 2017.
Subpoenaing your VPN can be a big issue for them, if for example your VPN provider is in Russia/Switzerland/Panama/Germany... They must provide a case in court to get any information, which in the end might not achieve nothing. Subpoenaing your ISP is a simple request without too much oversight, and again ISP is happy to cooperate.
Quote:
These attacks are largely academic and struggle with the issues of scale that occur "in the field" (especially traffic confirmation, where both exit and entry nodes are monitored - that's extremely unrealistic, hence the silliness) outside of lab settings and Onion Routing was specifically designed to be robust against traffic correlation attacks.
The academic tests were done a long time ago, in 2006, I think. That was 14 years ago, so a lot of things have changed. Following Snowden's revelations, we know now for sure that govt has such surveillance capabilities. I doubt they are ever going to use them on a regular shroomer. Because you don't see them in a court case, it doesn't mean they don't exist.
Now back to the VPN usefulness, one of the things you keep hearing is that VPN are just some dumb proxies but that is not true anymore. For example they encrypt the traffic with strong encryption, protect against DNS leaks, protect against IP6 leaks, protects WIFI connection, connection obfuscation, malware protection, trusted servers that run in memory. I don't want to sound like vpn propaganda, but they do add value for regular users without security/privacy knowledge.
Some of them provide advanced multi-hop services https://restoreprivacy.com/vpn/multi-hop/. This sounds a lot like what TOR is doing with onion nodes. Some provide connection obfuscation which hides VPN traffic as normal traffic, which again sounds like tor bridges.
Using VPN in tor-over-vpn configuration is something that everybody needs to decide for themselves. I do believe that is a good option for me .
|
junk_f00d


Registered: 12/04/15
Posts: 933
Last seen: 1 year, 2 months
|
Re: Do you think some government agency owns some of the VPN out there? [Re: fungusul]
#27209624 - 02/16/21 03:19 PM (2 years, 11 months ago) |
|
|
Quote:
they belong to different attack surfaces. Adding VPN, doesn't increase the attack surface of the first compartment composed by TOR, in my opinion.
right, but I still believe in minimizing vectors and attack surface. IMO the VPN just doesn't do anything useful yet provides increased opportunity for failure, like the examples quoted earlier.
Quote:
An example of increasing TOR attack surface is installing Firefox add-ons, which they run on your local machine, and increase your fingerprint.
I just want to point out this arguement isn't about whether Tor is comprimised, but whether a VPN is useful with Tor. This is an Opsec issue, and Opsec is the hardest part IMO. That's another reason I opt out of VPNs as it's more potential for my stupid human brain to screw up on.
Quote:
Yes, all your traffic goes thorough VPN, but this is no different than going through ISP. I choose to trust VPN over ISP.
I don't see the issue here. I'm not "trusting" my ISP by using Tor without a VPN. Both of them know you'll be using Tor, and both of them may be compliant with authorities. As you say, it's no different, so I don't bother, and I trust neither.
Quote:
See this case for de-anonymizing tor users: https://www.techtimes.com/articles/200592/20170307/fbi-drops-child-pornography-case-to-avoid-disclosing-tor-vulnerability.htm. This event happened in 2017.
I was aware of this, but we don't actually know what happened here. It may not be that Tor is compromised in general, but that these individuals were personally targeted and perhaps subject to something like targetted traffic confirmation, for example. The fact they let them go free just to not disclose has kept my faith in Tor, since they certainly wouldn't waste such a disclosure on me. But again this isn't about the issues of Tor, it's about the merits of a VPN.
Quote:
Subpoenaing your VPN can be a big issue for them, if for example your VPN provider is in Russia/Switzerland/Panama/Germany... They must provide a case in court to get any information, which in the end might not achieve nothing. Subpoenaing your ISP is a simple request without too much oversight, and again ISP is happy to cooperate.
At any rate, in both of these cases where the ISP or VPN provider is subpoenaed (assuming proper OpSec took place) all that would happen is they'd see Tor traffic. It's not adding anything to what Tor is already doing, so I don't bother. I don't have to be worried about my ISP revealing anything, because I ensure to never trust them. The same should go for proper VPN use, thus it should never be relied on as a security asset. Ergo, it is excluded from my security stack.
Quote:
Now back to the VPN usefulness, one of the things you keep hearing is that VPN are just some dumb proxies but that is not true anymore. For example they encrypt the traffic with strong encryption, protect against DNS leaks, protect against IP6 leaks, protects WIFI connection, connection obfuscation, malware protection, trusted servers that run in memory. I don't want to sound like vpn propaganda, but they do add value for regular users without security/privacy knowledge.
VPNs are extremely similar to proxies in terms of design and function. Essentially a proxied ISP. So I don't think the dumb proxy argument is without merit, they've just begun tightening up on bug fixes and paying more for advertising. And many providers fail to do these basic things you've mentioned. We have no way of truly knowing, so it's another trust point (aka failure point). And on top of that, bugs happen, leaks happen, lazy sysadminning happens. You're _trusting_ that they do these, and that they do them properly. These VPN companies aren't as robust, large or time tested like Tor, which naturally protects against what you've mentioned. Unlike a VPN company, you can look at the code yourself, the whole world can.
Quote:
Some of them provide advanced multi-hop services https://restoreprivacy.com/vpn/multi-hop/. This sounds a lot like what TOR is doing with onion nodes. Some provide connection obfuscation which hides VPN traffic as normal traffic, which again sounds like tor bridges.
IMHO, this is just VPN marketing/hype to sell more VPNs. It's simply chaining VPNs, but instead like a series of proxies with a (hopefully) shared pool of IPs at each proxy location. Onion Routing is far more than that. All the criticisms applied to VPNs so far simply apply to this as well. The robustness of this option depends on implementation details, which we will never know, so it, again, comes down to trust. Is the purpose of all this to achieve anonymity, or to obscure the fact you're using Tor? I would never place trust in something like this, as it's way too dependent on implementation details that aren't publicity viewable. It also introduces OpSec vectors, like using the same registration details or IP at various providers and it requires perfect OpSec when paying for the last VPN in the chain else the anonymity is broken if subpoenaed as you'll be ID'd. And as a way to obscure my Tor entry point, well.. you know where I stand on that, I'd just use a bridge.
Quote:
following Snowden's revelations, we know now for sure that govt has such surveillance capabilities
I want to note here that Snowden did not reveal Tor vulnerabilities, but he did reveal what was already publicly available information concerning the PRISM act, or the dragnet style surveillance across many devices and comms infrastructure internationally. Snowden is a big Tor advocate. From what I've gathered, you use a VPN because you're worried about Tor being untrustworthy or exploitable, but a VPN is far less trustworthy in every aspect (socially, architecturally, financially, etc). In this scenario, it's fundamentally no different than the service my ISP provides. Both should not be trusted, and to see value in a VPN requires trust. In my unqualified opinion, the benefits of a VPN are nebulous at best. The only supposed benefit seems to be that they _may_ be less co-operative than my ISP, but I don't trust my ISP anyway, so I don't care if they're co-operative or not. Even if true, that's speculative, and they may be malicious instead.
Anyway, I think I've said what I wanted to say. I don't mind continuing the conversation, but also don't mind agreeing to disagree. In essence, I prefer to minimize vulnerabilities, thus I prefer to place no trust in my ISP/VPN, so I don't see the utility a VPN offers me. Additionally, using a VPN combined with Tor puts more stress on the OpSec requirements, which is the most common failure point, so to me it's clear this should be avoided. If I desire obfuscation because I'm worried about my ISP seeing my Tor traffic, which I'm not, I'd use a Tor bridge instead of a VPN.
But, clearly we're both fine, and I use plain https 99% of the time anyway But I do make sure to keep very clean distinctions between what takes place on Tor, and what takes place on https.
Edited by junk_f00d (02/16/21 09:47 PM)
|
oursoulsinmotion
🐵🙈🙉🙊



Registered: 10/04/21
Posts: 3,380
Last seen: 1 day, 5 hours
|
Re: Do you think some government agency owns some of the VPN out there? [Re: junk_f00d]
#27653922 - 02/10/22 02:54 PM (1 year, 11 months ago) |
|
|
|
Anonymous #2
|
Re: Do you think some government agency owns some of the VPN out there? [Re: oursoulsinmotion]
#27654472 - 02/10/22 09:46 PM (1 year, 11 months ago) |
|
|
I do VPN then Tor, so Tor Guard node, first hop, the Tor network only see's the VPNs IP instead of my home IP.
This way, even if my Tor Guard is maliscous or my Entire Tor circuit is compromised, the digital trail leads to a VPN server bring used on a shared IP, by dozens of people at the same time.
To OP, yes govs can run vpns and tor nodes. Assume both.
You can setup your own vpn on a datacenter.
|
BSUUF2
derails threads



Registered: 10/15/20
Posts: 666
Loc: not that important
Last seen: 1 year, 10 months
|
Re: Do you think some government agency owns some of the VPN out there? [Re: Anonymous #2]
#27658029 - 02/13/22 09:35 PM (1 year, 11 months ago) |
|
|
Quote:
Anonymous #2 said: I do VPN then Tor, so Tor Guard node, first hop, the Tor network only see's the VPNs IP instead of my home IP.
This way, even if my Tor Guard is maliscous or my Entire Tor circuit is compromised, the digital trail leads to a VPN server bring used on a shared IP, by dozens of people at the same time.
To OP, yes govs can run vpns and tor nodes. Assume both.
You can setup your own vpn on a datacenter.
ALL VPNs are assumed to be data miners, government entities, money laundering operations or a combination of any (hey, how to clean up dirty crypto easy? Alpraking knew that already in 2016). So mostly useless, except maybe if one is into pirating content.
It's VPN over Tor, in case of some website blocking exit nodes. It's likely sites blocking exit nodes block VPNs too. So VPNs seem just to be a racket to siphon off of people by various means. Anyone semi-clever just uses a SSH tunnel over Tor into a VPS, of course bought over Tor with fungible crypto, in that case, though their IP ranges might be blocked too. Or just get into the next libraries WiFi.
-------------------- LAGM2022
Edited by BSUUF2 (02/13/22 09:37 PM)
|
Shroomintune
Gentleman Farmer



Registered: 06/04/21
Posts: 266
Loc: Outside of the Asylum
|
Re: Do you think some government agency owns some of the VPN out there? [Re: BSUUF2]
#27661641 - 02/16/22 05:57 PM (1 year, 11 months ago) |
|
|
I'm pretty sure we can say with 100% certainty that the US Government runs Tor nodes, as they are the ones who wrote and released Tor to begin with.
|
BSUUF2
derails threads



Registered: 10/15/20
Posts: 666
Loc: not that important
Last seen: 1 year, 10 months
|
Re: Do you think some government agency owns some of the VPN out there? [Re: Shroomintune]
#27661667 - 02/16/22 06:22 PM (1 year, 11 months ago) |
|
|
Quote:
Shroomintune said: I'm pretty sure we can say with 100% certainty that the US Government runs Tor nodes, as they are the ones who wrote and released Tor to begin with.
If you're that important, to have the NSA run correlation attacks, etc. (most markets these days just exit scam, only Eckmar dumbfucks tend to get busted, I wouldn't be surprised if some of these markets are three-letter-agency operations to get some black budget...), I'd roam around in an RV and switch burner phone/SIM every week or so...
And Tor isn't meant to protect against a global adversary, like the NSA.
That was about 10 years ago: https://www.eff.org/files/2014/04/09/20131004-guard-tor_stinks.pdf
Tor bridges make you stick out, VPNs make you stick out, just use Whonix one some FDE Linux host... I use Qubes/Whonix mostly out of convenience running multiple Whonix DispVMs for different topics, since Firefox sandboxing is basically non-existent and I don't want these data miners invading my privacy.
-------------------- LAGM2022
Edited by BSUUF2 (02/16/22 06:23 PM)
|
|