Data security and privacy how-to

[Polypro]

Quote:

Originally Posted by Sharky

Another one that rated high was "Hide My Ass" and it is slightly cheaper.

This is where hanging out in this "area" of the internet helps. HMA, despite what they say, will roll over.

https://www.informationweek.com/secu...scom/231602248

Now, let me first say this: I don't like criminals either. I fully understand that a business has to follow the laws of their jurisdiction. BUT, that doesn't mean they have to do one iota more, to make it easier. HMA, despite "no logs" in their marketing material, obviously logged. There is no requirement to log that I have seen, anywhere...even in the US (which is sadly funny to even have to say...wherefore art thou Thomas Jefferson?).

Technically, the only time your IP address should be visible to the VPN operator, is when you are actually connected to it. After that, it should disappear. HMA obviously decided to keep records, despite the marketing spiel.

HushMail is the same way - great rep, but they stated that they will infect you with malware, to get your pass, if asked by a court.

You need to use systems that are designed to make that stuff technically impossible.

Now, is there still trust involved? Of course. Unless you run the service yourself, trust is needed. Mullvad said they don't log, and I believe them. But am I *sure*? Nope, because I don't work there. You have to go on reputation and past performance.

The 3 VPN providers that always rise to the top from actual customers, are: Mullvad, Air, and Boleh. Are there others? Probably. Read the terms of service as far as logging, and look at where the HQ is located as far as internet privacy laws go, and what it would require from a court, to roll over.

Mullvad takes cash - cool. Air takes Bitcoin, and allows connections via Tor - cool. I think Boleh takes Bitcoin too.

Also, if you *are* a crook, and can be presented with proof of that, by a court, it *is* possible for a VPN to re-configure your account *to log*, and provide real-time connection data to LE. They may not be able to read your traffic, but they can tell when you are on. No business is going to go to bat for a crook. But other than actual proof, a good VPN will should be able to say "we have nothing to give you" during fishing expeditions.

P

[Glock-A-Roo]

CV, thanks a ton, very much appreciated and noted.

Quote:

Originally Posted by Polypro

The 3 VPN providers that always rise to the top from actual customers, are: Mullvad, Air, and Boleh.

Not that Poly needs any feedback at all from me but for you other guys who are just now looking in to VPNs, I got the same research results: Mullvad, Air, and Boleh.

Quote:

Originally Posted by Polypro

Are there others? Probably. Read the terms of service as far as logging, and look at where the HQ is located as far as internet privacy laws go, and what it would require from a court, to roll over..

Interesting detail regarding Mullvad: they are based in Sweden whose laws require logging by all ISPs. But Mullvad is strictly a VPN resource and is not subject to their domestic logging requirements. Of course, you gotta trust somebody but this arrangement is a plus.

[Polypro]

Yes, VPN and email providers are not ISP's...different rules apply.

But, say for example a new law is passed. Well, VPNs that allow connection via Tor still couldn't give your location away.

P

[CV]

Mullvad uses OpenVPN (OpenVPN using 2048-bit RSA and 128-bit Blowfish encryption). It's my choice at the moment. Subscription based.

[EightyDeuce]

I see that Poly mentioned startpage once before over in the Verizon thread but I now see they are working on startmail as well "worlds most private email"

https://startmail.com/

anyone familiar with either of those?

[CV]

I know nothing of it, but I am signed up for the beta. I'll be checking it out once it's released. There's a few things to look for but knowing Ixquick, it should be a competitive product to the others.

[Armitage12]

I've also come across DNSCrypt, which will (if I understand it correctly) will encrypt the look-up for an internet address, so that even if you're hidden your glance to the 'yellow pages' will not reveal who and what you are. It prevents 'man-in-the-middle' attacks where someone could mis-direct you from the internet location you wish to obtain (looking up in the yellow pages) to the internet location *they* wish you to obtain. It complements, if I understand correctly, VPN use.

[Polypro]

Kind of - DNSCrypt does do what you say, but you have to use OpenDNS. They are US based, so if you are worried about a server raid, or co-operation...there's that. They know where you are, unless you choose them as the DNS for your VPN (not sure if both can co-exist)...but see below.

A good privacy oriented VPN, will route all DNS requests through the VPN tunnel with this command:

Quote:

xxxxxxxx 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS xxxxxxx,comp-lzo no,route xxxxxxx,topology net30,ping 10,ping-restart 60,ifconfig xxxxxxxxxxxxx'

So your ISP can't see them, and if your provider is overseas, there is no server raid threat. The provider should also anonymize all requests, so it wouldn't matter if they used Google DNS (some do, and it's fine).

A VPN almost does the same thing, and your request doesn't point to your location...so in some ways, it's better, IMO.

P

[BOFH]

Just so nobody thinks I forgot about this thread after starting it, I've been trying to play around a bit with the *free* VPN options out there, in order to give a recommendation. Sadly, a lot of them require the user to use *their* VPN client, which I already don't trust, but since I run Linux, not Windows, I can't test them out. I'll still get back in with a good free option, and a rundown on how to set it up.

[Armitage12]

Poly--thanks for that clarification.

Just signed up for a pay VPN (Private Internet Access). Works very easily, and has tools to allow for different flexible usages (like a dead-switch to cut the internet usage off if the VPN is disconnected).

The only issue that has come up and that is apparently a common one is that GMail is not happy when I attempt to access my email (POP, but also a problem with IMAP apparently) through the VPN. It wants to see me coming from my usual location, not Loki-like from different places. There is a solution I'm exploring (among others) other than switching out from GMail. I thought those on here learning about VPNs would like to know of this.

[Polypro]

GMail may have an option to disable the strict checks, don't know. I have my phone pull all Gmail (it's all BS email anyway, I don't use PrismMail.

If they offer a US server, that may stop the checks as well...people travel.

I would never trust a free VPN, JMO. And you need to read the privacy policy. If you see anything about logs or data retention, I'd be wary.

Read this one, from a popular option...no thanks

Quote:

We are a US company, and this agreement is governed by US law.

We use your IP address to help diagnose problems with our server, and to administer our Web site. Your IP address is used to help identify you and to gather broad demographic information.

As a provider of online-enabled services, we require users to provide contact information, such as their name and e-mail address, credit card, as well as other necessary data, dependent upon the service, to set up and maintain their services with XXXX.com.

We will never resell or provide your information to a third party unless we are required to do so in order to conform with a legal requirement, comply with the legal process...

In addition to the information you provide through our order-form, we may store the following pieces of data: IP address, times when connected to our service, and the total amount of data transfered per day. We store this to be able to deliver the best possible network experience to you. We keep this information secure and private.

We do not as a matter of ordinary practice store private information about individual user activities on our network, such as emails, chats, VOIP calls, websites visited, etc. However, should we receive a valid request from US law enforcement officials, we may be forced to comply, even with no warning to the user.

P

[Polypro]

Haven't used this yet, but something to check out. Based on the Bitcoin style network, Bitmessage:

https://bitmessage.org/wiki/FAQ

Downloads up 10x since June

P

[Trig]

Quote:

Originally Posted by Polypro

Kind of - DNSCrypt does do what you say, but you have to use OpenDNS. They are US based, so if you are worried about a server raid, or co-operation...there's that. They know where you are, unless you choose them as the DNS for your VPN (not sure if both can co-exist)...but see below.

About 50% of the time I use a VPN with DNSCrypt always using OpenDNS. They play fine together for me. The DNSCrypt thwarts MITM attacks, and the poly I mean proxy leads big brother to a cold trail in whatever part of the world I choose. (Is that accurate Poly?)
I'm learning to overcome my fear of big words in order to beef up my infosec. Next thing you know I'll be typing about md5 unsalted hash algorithm's and rainbow tables.

[assertnull]

Quote:

Originally Posted by Polypro

Haven't used this yet, but something to check out. Based on the Bitcoin style network, Bitmessage:

https://bitmessage.org/wiki/FAQ

Downloads up 10x since June

P

cloned yesterday, been fiddling with off and on since; a few things:
1 - PyBitmessage doesnt work with python-3, at least, master.git doesn't.
2 - requires a port forward for normal usage, OR, it does support Tor
3 - watching the exchanges flying across your terminal is very, very entertaining

The echo test did not appear to work. I'm going to leave it running for a bit unless it starts leaking memory, if anyone else is playing with this and wants to do a test message, BM-2D8wKcn8JMjZTujkmuPeY4wHtopDAMLXP3

Obviously, one wouldn't necessarily share this publicly if it were meaningful. But, well, entropy is cheap, and the above can be discarded at will.

Not sure if I have to do the port forward to get it to work or not (or, I guess I could route it through Tor, but that's just one more thing to go wrong).

The rates/stats for anyone interest, for roughly ~20 minutes runtime http://i.imgur.com/P2Cz3OU.png

CPU-wise it's using 70-100% of one core, on a quad core, ETAwhen doing any cryptographic work, it's nice and quiet at the mo, but it seems to play nicely when I run another CPU-intensive task, so no worries there.

(hope that's useful to any interested folks - this thing is still way in its infancy, and hasn't really been vetted or audited, but it's a neat concept I'd sorta been wondering when would show up)

[Polypro]

Plans for taking over the world, sent.

My addy: BM-GtXfTfbCRKnEi6aSVcWh7sgeNpK8mHDe

You don't need to forward any ports. That is only if you want to help the network (you will see a green traffic signal). It will work fine with a yellow traffic signal.

Starting up Tor Browser Bundle and pointing it to that, allows operation through Tor if you want.

All messages expire after 2 days, so you need to check at least that often. I may need to transfer this to one of my always on servers. The "USB" option allows you to take this from machine to machine - it just runs out of a folder by double clicking the .exe (Windows), which makes running it out of a TrueCrypt container, easy.

The Windows version worked without a hitch. Hopefully a security audit comes out rosey.

P

[CV]

Messages sent. Reply once you get them. I'm curious about a few things.

[Polypro]

Got it, and replied.

P

[CV]

I'm damn near sold on this.

[Polypro]

Yup. Portable option is convenient as hell. If this makes it to Android....look out (But Gibberbot with OTR is just as good, I think) I guess the only catch for mobile would be just how much data would it use, running 24/7? I *am* glad that this thing doesn't need to store the Blockchain, like BTC does...that thing is up to like 3 Gigs last I checked! LOL.

Edit: messages.dat is at 24 Megs, I think this is like the BTC Blockchain. It'll be interesting to see just how big it gets. BUT, if messages expire every 2 days, it may stay small, which is awesome.

P

[Macka]

I'm so new at this and reading this stuff has reinforced what I have read over the last few months.

I'm not ready to spring for a VPN as I have two kids in private school and as they say about free services....you get what your pay for.

I did register an email with TorMail and also through Tor, as a goof, I set up an email through Yahoo India. I test email myself between these two addresses and don't use them to email anyone I know, or anyone really.

I know there are differences between VPN and Tor but it is what it is at this time.