Paypal vs. Bitcoin for VPNs You Access Directly

As I note below, we're mostly guessing

Both AirVPN and iVPN state that their focus is privacy, and they summarize their history. I have no reason to distrust what they say.

I do think that AirVPN and iVPN are better prepared for attack than most VPN providers. But again, that's from what they say. I have no inside information.

Let me try again Let's say that they have complete global Internet traffic intercepts, like Wireshark on steroids. So, for example as I'm posting this to Wilders, there's traffic between my LAN and the first VPN entry server, and between the first VPN exit server and the second VPN entry server, and so on until the Wilders server. However, each of the packets in each step (IP1 to IP2) shows up as a separate line in the capture. And simultaneously, there are packets going from IP1 to IP2 that are part of many other user's activity. In order to piece together the route from my LAN to Wilders, they would need to do some analysis, looking at timing, traffic signature and so on. Doing that for one user seems possible. But doing that for every user all the time would require a great deal of computing resources.

Does that make sense?

It's hard to know. There are LOTS of VPN connections. The major corporate, government, etc VPNs are probably much more important than AirVPN or iVPN. That's my hope, anyway.

It is possible, however, that the NSA provided the initial data to the FBI that allowed them to take down the Silk Road and Freedom Hosting. But again, those were very big targets compared to me

Yes, that's what I mean. Each adversary has its own priorities, I'm sure.

Well, the leaks say (as I recall) that they can buffer everything for three days, and that they gradually delete, always keeping metadata and encrypted data. I'm not clear on what encrypted data they keep permanently. It's hard to imagine that they could store all encrypted web and email! Even for encrypted data, there must be triage. I bet that they keep all Tor traffic, however

Right. The problem has been that we have had little information about TLA capabilities, except for Bamford's books and a few news articles. Now we have the Snowden leaks. But many of them are old documents, and we don't know enough about intended audience etc.

My response has been to push what's available in public as far as I can. Do I know how much privacy I get from 3-4 nested VPNs? No, I don't. But I know that it's more than I get from one VPN. I also know that it's much less than Tor provides. But I'm confident that putting Tor between VPNs is better than using just Tor.

We can only do what we can do

 

Do you think that there is any benefit to iVPN's multihop service, compared ot AirVPN? Or is it redundant and in no way equivalent to multiple different VPN services used together?

Yes, that makes more sense. Thanks. So in other words, if you were a target, based on timing, etc., and based on a data base of all global internet traffic at a given point in time, they could probably piece together which packets came from you and where they went, even if they're encrypted and hoping through multiple VPNs. But the order of complexity is high enough that doing this for everyone, realtime would be prohibitive, at least with current computer resources.

This is perhaps sacrilege in this forum and definitely a digression, but I don't understand why many privacy proponents and Bitcoin advocates are unhappy about the demise of Silk Road. I mean, it was a criminal enterprise. People may not agree that everything for sale on Silk Road should be illegal, but that's a political question. We all live with laws in many domains that we do and don't like. Everybody can't agree on everything. The solution is to change the laws. And for Bitcoin I agree with those who suggest this could be a benefit. It doesn't help Bitcoin to have one of its most prominent associations in the public mind be illegal activity. People understanding better that Bitcoin is mostly used for entirely legitimate purposes helps promote Bitcoin's profile and potential user base.

Yeah, I guess the cost and inconvenience of nested VPNs is prohibitive for me. Hence my attempt to figure out the benefit of a single VPN, if any. And Tor is way too slow. I only use it occasionally for entirely legitimate things where I nonetheless really want to feel anonymous. For me also, security is important. I'm thinking of trying out Qubes OS, which seems very intriguing.

 

I think that there is benefit, because the entry and exit IPs are different. But any serious adversary would know all of the entry and exit IPs, so the benefit is limited. Also, you don't have the benefit of distributed trust.

We really don't want to go there, or this thread will die. Maybe I can just say that I'm a citizen of the Internet

Using multiple VPNs is not that hard or expensive. I'm writing this on a five year old machine with a Core 2 quad-core CPU, 6 GB RAM and a 2 TB RAID10 array (four 1 TB Western Digital RE3s). There's one VPN client on the host, and two more (one two-hop) in pfSense VMs, and I'm working on a Ubuntu VM. The total price is less than 1 USD per day. Once I boot the machine, and start VirtualBox and the VMs, it just works until I shut down. I'm getting about 4 Mbps down and 1 Mbps up, which is not bad for four hops.

 

Oh God. So complicated and long for something that is so simple. Occam's razor would help you guys.

 

So what's your simple answer?

Tor?

One VPN?

 

VPN behind Tor and setting Tor so it has no obvious security holes. Preferably doing this on the TBB on a Linux distribution. If your not doing anything criminal this is way more then enough to defend yourself from low level tracking.

 

That sounds OK.

But for most of my online work, Tor is just too slow, and unpredictably so, especially with our new Mevade friends,

 

Yeah, I'm having troubling imagining the adversary between corporate harassers and powerful government agencies that would be defeated by the multihops of iVPN. Perhaps the different entry and exit IPs would make one a little less likely to end up on some automatic watch list for the more powerful adversaries?

Sorry if I said something offensive. I kind of knew I probably should have kept those comments to myself and considered going back and deleting them later. Whatever one thinks of Silk Road, I do think the methods used to take them down and powers used to justify those methods are very problematic and I hope the trial sheds some light on those methods and adds to the pressure to curtail the rampant impulses of the powers that be. And I find it dismaying the way entities, which are easily portrayed to the general public as being less than savory, like Silk Road, are used as an excuse to justify methods and powers which are really developed for other far more questionable purposes--purposes that the general public might really be unhappy about if they were discussed transparently. So maybe we're more on the same page than my comments might have come across as suggesting.

Thanks for the description of how you do it. I can imagine getting a system like that up and running, but for better or for worse it's more hassle than I want to get into. I've kind of reached the point in my Linux usage that I just want things to work. I've been running Manjaro lately, because I could not be bothered with Arch's conception of "simple" anymore. And the cost, though certainly not high, is more than I'm looking to spend on a yearly basis.

I also find that the first time around setting something up, even with good step by step guides, always takes way longer and has way more hitches than one expects. I just spent two hours figuring out how to encrypt a single file with gpg, even though the answer turned out to be ridiculously simple!

 

Yes. There was a time, not that long ago, when multi-hop VPN services seemed very cool and secure. Now, with what we know about the NSA etc, we're left wondering whether Tor (let alone multi-hop VPNs) provides enough anonymity.

Maybe there is some ugly hybrid of Tor and VPNs that can do even better

Or maybe we need a system that automatically adds several minutes latency and randomness to the process of website posting and email downloading.

 

Yes, but like you I find Tor to be way too slow for most of what I actually want to do on the internet.

It does seem like countermeasures to the methdologies for using correlations to deconvolute (as you said) encrypted VPN traffic could be possible. It also seems like if all internet traffic were encrypted all the time it might make the problem of tracking it too large to manage. It's a little sad how easy it would be for ISPs and email providers to enable encryption by default, but they don't. Of course, they have their own reasons they want to track and scan the traffic.

I really wish everyone I knew had pgp keys for email, which would also be very easy. But of course no one does and I'm never going to get them to do it. So I'm stuck accepting my email (and texts, etc.) traveling the internet in plaintext for not really any good reason.

 

Some years ago, I rented my first Linux VPS. I had read up on server security, best practices and all that. And then the provider emailed my password to me in the clear! I changed it immediately, and locked down the server. But wow, just wow

Stuff like that is all too common, I find. It reduces the tech support load, I guess.

And for whatever it's worth, iVPN is the only VPN provider that has used encrypted email upon request.

 

Yeah, I'm kind of amazed how often that still happens, when I sign up for some website or forum. I even still get sites sending me together in one plaintext email my username and password together. It's hard for me to believe that someone technical enough to administer a website can also be ignorant enough to put a username and password together, in plaintext, in an email.

 

Tor if too slow, you can just use a single VPN with Firefox NoScript+RequestPolicy, with strict rules and again you will be safe from 99% of attackers, and the 1% does not care to target you anyway and most likely could not if your doing the above.

 

That's what I have been doing, I got one browser for normal surfing like bank websites/buying stuff.

And then my main browser with all the addons for privacy/security.

May then install tor or jondo for max but I feel virtual box >whonix and encrypted would be more safer....