ProXPN hiding something. I think I need a new VPN service.

As you all may know ProXPN was hacked about a month ago now. I do realize this is old news and many of you must be wondering why I'm so late to the game, I'm not, just bare with me for a sec here and read on.

After a month of waiting and two wasted payments to them, I finally decided to send ProXPN a ticket as I have had problems connecting to their client ever since their compromise and so I decided to ask a few questions. One of the questions crunched down, asked when they will notify their customers about the server breach.

Clearly never, now that I have a reply answering none of my questions and a response email stating: "Hello, the user responsible and offending content has been removed. The offending users account has been terminated."


ProXPN also put the following news out ten days after the TurkisH-RuleZ hack:

"Dear Valued Subscribers,



We are aware of the issue with proXPN 2.8 crashing when connecting to our servers. Between 4:00 and 5:00pm EST we made a server side change that caused the client to fail. Thanks to you and your early reporting, we have identified the issue and have completed the fix. You will not need to make any changes or re-download the client as the fix was on the server side. Please contact us should you have any other issues. We apologize for any inconvenience this may have caused you and thank you for your support.



Team proXPN"



Anyways, now that I know I am only a 'valued' subscriber, I think it is time for a new VPN service but don't know who to trust. I have looked around but how can I truly know to trust them?
If any of you are willing, could you suggest a few VPN services you trust, please?


Edit:

 

My favorites are AirVPN, BolehVPN, Insorg, iVPN, PIA and SecurityKISS. Insorg and iVPN are multi-hop, and cost more. PIA is very inexpensive. And SecurityKISS has a great free trial.

 

Wow thanks for your speedy reply mirimir! :')

 

It's all in the timing

 

Lol, quick witted mirimir, what ever will we do without you?

 

mirimir, which are you using at the moment?

 

oh I'll take a not so very educated guess: iVPN.

 

I'm using all of them, in one way or another, more or less lately

 

Data retention laws, Canada? what are they really storing? I suppose I don't mind but if it is the unencrypted data being collected, what is the point of a VPN service here in Canada then? Would that not mean there's a way for hackers to "listen in"?

 

Oh wow man, I assume some of them must be more than just a vpn service. Am I correct in saying so?

 

VPN services hide activity from your ISP, and also from adversaries intercepting anywhere between you and the VPN exit. When you use VPN services, you're choosing to trust VPN providers in the same way that you would otherwise trust your ISP. But you can use a VPN service based in another country, and you can pick one that has less interest and/or leverage about you. And you can chain multiple VPN services, so that adversaries would need to work harder to compromise them and/or get their cooperation. That's how I use so many VPN services. If I'm working on several projects, I may have multiple branched chains connected, each feeding a different workspace VM. There's much more about that in my guides on iVPN.

 

Wow, that is so cool! I'll definitely read more on that, I never knew VPN services could be used that way.

 

Which OS do you use?

 

Using router VMs as gateways for VPNs and Tor, you can route them through each other in various ways. pfSense VMs work well for both, although installing Tor in pfSense takes some work.

 

I mostly use Linux (lately, Debian) for host machines and workspace VMs, and pfSense for router VMs. Whonix is a very easy to use setup for securely using Tor, comprising gateway and workspace VMs.

 

Wowwie!

Almost beyond my comprehension. Is this something you learned to do through some means of training?

 

I knew it!

you hinted it earlier though i wasn't certain about the distro.

 

I'm just thinking here mirimir, could VPN-chaining not make the crypto weaker? I don't have any reasoning behind this. I have just heard before (some time ago actually), that encrypting an already encrypted data source could weaken encryption.

Would you disagree?

 

Nope, no training. Just reading stuff online. Some years ago, I'd been using multi-hop VPN services and Tor. I'd read about JonDonym, and was dreaming about some way to replicate trust-distribution with VPNs. I'd also been using VMs for a while, and had read about plans for Qubes. And I'd started using pfSense as my LAN router. I was reading some article about virtual networking, and then it struck me that I could use VPN-gateway VMs and Tor-gateway VMs to create nested chains. And it worked

 

I'm no crypto expert, but I've also read that. But using nested chains of VPNs and Tor isn't about multiple layers of encryption to better hide stuff. There are multiple layers of encryption, of course. But the goal is making it harder for an adversary to connect you and your online activity. Rather than just getting one VPN provider to cooperate, they need to go after multiple VPN providers. I discuss this in https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me and https://www.ivpn.net/privacy-guides/adversaries-and-anonymity-systems-the-basics.

 

Wow, well I'll definitely be trying this out and hope to be as successful as you have been.

Oh right and thanks!

 

Thanks

As you get into it, don't be put off by the walls of text. I've made my guides to be totally step-by-step, in order to reduce confusion. But that does make them long. If anything goes wrong, just ask

I need to redo the guides on host machine setup and workspace VMs, because Ubuntu 12.04 is nearing its end. I'm now using Debian 7.6 instead.

 

Hi mirimir, thanks a ton for your support, I'm probably going to need some help as I haven't used Linux for some time now. Do you think this could be done with raspberry pi's?

 

Maybe. But there's a security issue about having all of the various networks available physically, through ethernet ports. With a host machine with FDE that's locked, getting in by compromising the password without triggering a reboot is tough. It's doable with a RAM attack, I know. Better would be struggling a bit with Linux.

 

Hi again mirimir I still haven't checked your link I've not been well lately.

Please tell me, is all of this done on a single system? I feel like I missed something in one of your messages. It sounded like you are using multiple machines.

Cheers man,
I hope you are doing very well.
-DynoTAP