Security: VPN vs SSH vs Proxy

$12, are you kidding? Who has that kind of money?

But seriously, I like to pay anonymously, and I haven't found an easy way to do that yet.

What country is your server located in?

 

I've found that some internet services will offer creative payment arrangements if you call them and tell them you don't have a credit card.

But if you are looking for absolute anonymity, maybe you can't get it cheap. If i wanted that I would get a private server on a rack in an offshore country, maybe even russia, install open ssh server on it and go from there. OK plus you find a provider that takes e-Gold -- don't expect 100% uptime with it. I think a basic tenet of security is that the more people there are in the system, the weaker it is. So what makes this good, is that with your own server, there is you, you, and the guy who makes sure the power doesn't get shut off.

I think a lot of stuff here is putting the cart before the horse. Steve gives these elaborate schemes to detect somebody's true location and while they may work, who has these resources? And across national borders what will it take to pull them all together, unless you are the NSA? And are they going to stop chasing terrorists and watching rogue nations even to catch a billionaire with hidden offshore accounts? I doubt it. If nobody can tell where you are located and you haven't been done any crime it would be quite difficult to get a court order that allows the data to be subpoenad.

Maybe I am missing something?

 

Warning: Severe Misunderstanding of Anonymity ^^^

1. Owning a server somewhere does not make you anonymous.
2. Being the only one using that server makes you the exact opposite of anonymous.
3. Putting any servers in russia without multiplexing is a very bad idea as russia does massive surveillance of all traffic.
4. There is no such thing as absolute anonymity.
5. There is no one-man anonymity system.

You are definitely missing a lot. :| You are suffering from the "They can't watch everyone all the time" fallacy. They can, they do, they are. It is this sort of mentality that makes hidden and ubiquitous surveillance so dangerous. Because you can't see it or the effects of it, you don't consider it. But surveillance systems are like radio waves, they are all around you, affecting everything around you in ways you can't see. Thousands of organizations, public and private have access to shared information about you.

They don't have to actively trace you. They are logging all the traffic on the internet. You are not anonymous. They simply decide that at some point in the future they want to track your past, then they go through their datamine and find all your traffic for the past decade and start analyzing it. Read this paper, it will enlighten you as to the reality of internet surveillance today.

 

I'm not looking to be that creative. Just a prepaid card is fine. The problem is that they use Paypal, Moneybookers, and Google Checkout. They have lengthy registration and verification processes. I don't know if any/all accept prepaid cards and, if so, which ones.

I don't know how many times I've heard stuff like that. At first I thought these people must really know something I don't.

 

Re: Russia, the point there is that last time I looked certain things that are illegal in the West are not there. Additionally other nations would have a very difficult time getting any kind of legal agreement to actually access what ever data they have. I would be more concerned with the data being obtained via bribes. Otherwise points taken and reading added to the list. But you still don't answer how they will get legal access to these massive amounts of data. Or at least get it in such a way that it will be admissible in court. I guess that is not always what you're trying to protect against. But there is a large difference between theory and its applications and while you give lots of the theory, I'm never sure what applications would need such heavy duty security and given that "there is no such thing as absolute anonymity" how much do we gain and who might profit by going the extra mile that XeroBank might represent?

Stated in another way, what are for you, the objectives of a privacy and anonymity strategy and (secondly as a separate question) how does XeroBank fit into it?

 

I've thought about this with respect to data retention laws. If the data retention law would be written in such a way that you must hold data for X years and after that it must be deleted, then the data retention law would not be all bad because there would be a limit to how long they have access to such data.

 

If there is anything the government does well, it's surveillance. Steve is right about all traffic being monitored. Where does it all end up? Try this recent excerpt from a book review by James Bamford (he's an NSA expert in his own right but he's reviewing a new book by Matthew Aid). I urge you to take a couple of minutes and read the following first three paragraphs. Eye-opening. A link to the complete and very long review is at the end of the following excerpt.

The very long review can be found at the NY Review of Books: http://www.nybooks.com/articles/23231

No server in Russia escapes the above.

 

Great questions. Those are the right ones. First off, anonymity has no technical metric for measurement, but if we wanted to speak in practicality, anonymity is about information warfare and your liberty. We are fast approaching an age where people are arrested without committing a crime, or under the pretense that they may commit a crime in the future. The US president Obama even proposed legislation to indefinitely imprison people who are merely *suspected* that they might commit a crime at some future date. The world is changing, and not for the better. There is a large scale war against liberty and freedom, and it is being waged on all borders and the world tries to shut down the power of individuals to control their fate and governments. The war for information control today is about preserving your liberty tomorrow. What is it worth to your boss to know about your private medical conditions? How will it affect your ability to get a job if you are a homosexual? What happens when the incumbent party knows your political affiliation and plays games with that information? What about marketing firms who are buying and selling the SMS messages and email of your children? When all information about people is known, they can be predicted, and thus controlled, and control is also the same as money.

I'll give an example of why state surveillance is bad. In Greece, they had a secret system that could tap any phone call. Some hackers broke in and planted a bug that allows them to spy on the heads of state, their families, major industrialists, etc. The system was used to blackmail, bribe, bully, and extort companies and government officials. The hackers were never caught or discovered. So the next objection is "well what if we can make it where only the right people have access"... there is no right person, as power corrupts, just ask ex president Nixon. Nobody should have this power, because it threatens the freedom and liberty of all people and puts undue power and control into the hands of the corrupt, and infact weakens our security as individuals. We truly are not far off from 1984, only big brother is a lot better at hiding that fact.

So regarding what you get from XeroBank: XB can make you anonymous enough to defeat data retention, data logging, spying and snooping of all sorts by all parties. Just about the only thing we can't defeat is if the NSA is coming after you right now. We protect your information not only today, but also your freedom from control by others tomorrow.

Our objective, as stated on our website is "to protect and foster the development of liberty and free-trade markets by empowering our clients to control how their information is exposed and used." Therefore the level of anonymity we provide absolutely must be sufficiently powerful to defeat threats to liberty and free markets.

 

1. The data will not be destroyed, It is infinitely valuable. After it is offloaded from primary storage it will go to secondary storage.
2. Doing evil for a stated short amount of time does not make it good.
3. There is no security for individuals through doing data retention. If you remove people's privacy, you lose security. Terrorist networks already use sophisticated anonymity and compromised botnets with encryption. They will not be snared by such ham-fisted attempts, only the innocent will. It is a control mechanism like the idea of gun control. If guns are outlawed, then only outlaws will have guns. Let everyone exercise privacy and anonymity, otherwise you are disarming us, and we must be forced to ask who profits from this. Don't give up your rights.

 

Well thanks, I agree with what you're saying about privacy, and I know that it is important to protect your privacy, but what you wrote above really doesn't answer my question. With respect to data surveillance, another country besides Russia who does massive data surveillance (perhaps the most) is the USA, but nobody is suggesting we don't use servers in the USA for that reason. The differences between the two are their laws and what applies to you. So I am interested in solutions for today within the legal context faced by individuals, corporations and nations. If you are trying to protect against threats that could be found in any possible world that might come about, and subversive actions by rogue nations who will use any means to obtain data then that is something entirely different.

Given that
- with a properly configured VPN or SSH tunnel I can prevent an isp from seeing what websites i visit.
- if I use 256bit data encryption I can probably prevent a government/hacker/rogue entity from sniffing my communications and reading the contents of my electronic communications (as it travels from my computer to my VPN or SSH server)
- when my VPN server is located in a different country (chosen with the objective of making it effectively impossible for my local ISP or government to get any information from them without already having evidence of a crime), this VPN server data will not be available to anybody in my country.

If an ISP or government decided to analyze all its data and come after somebody for P2P downloading or having secret offshore bank accounts that allow him to avoid paying taxes in his home country (two randomly selected, easily understandable examples) or if any possible party decided to data mine a source of retained data they somehow obtained, then assuming we are not talking about the NSA, questions that would lead to "my privacy objectives" are:

- how possible would it be for them to piece together my identity (name,address, etc) and evidence of my activities without assistance from a second government or ISP
- what is the threat posed by a network of international hackers trying to obtain the same information
- If I am already using a VPN and encryption what would further decrease the probability of them successfully doing this


When I ask these questions I look at the answers in the context of the current legal framework that effects online activities, including the facts that:
- If I do something (e.g. P2P downloads or have a "secret" bank account) in a country where it is not illegal (including normally "illegal activities" such as P2P or "secret" bank accounts in places like Russia, or Switz before 2009 -- let's call them "open-law" countries) then no third party government can obtain data related to those activities through legal channels without high level government negotiations and perhaps laws being rewritten - as we recently saw with Switzerland and "secret banking".
- If when I do one of these things I am subject to the laws of a country where it is illegal (via physical presence or the laws of the country being written is such a way that they apply to its citizens when they are abroad) then if that country can prove I did it (with information that it obtained without the assistance of the open-law country) then they could potentially gain the assistance of the open-law country to access data stored/gathered/intercepted there.

Does that help clarify my question?

 

I like point number 2...

When I was doing research on the data retention laws in the EU it seems to me that I came across the fact that in some countries the law said that the data must be retained for X months/years and after that it must be destroyed. Which would mean that the data would not be admissable in court after the data retention period. I'd have to check that, but if it's true then in some cases that would make the data retention law countries prefereable to those without such laws who gather massive amounts of data.
Point 3 is also good, especially in the context of international internet IDs as was suggested by Kaspersky.

 

Flash / Java / JS / ActiveX / Plugins CANNOT bypass the connection/proxy settings of native SSH tunnels if you use a third party firewall to control outbound connections, there is also the option of using something like proxomitron which rewrites http headers to prevent java and JS etc from revealing your true IP address.

 

by the way I have a Question. what encryption does VPN use compared to SSH?

 

Since before the 1950s governments have had open cooperation on intelligence gathering. It is not something they have to start to do, it is already done and available. They are already cooperating with fully searchable and automatic systems of surveillance. In the late 70s and 80s there was (is) a secret program called Echelon. Echelon was the implementation of a secret intelligence sharing agreement among NATO countries. While the US could not legally spy on US citizens, the UK could, and vice versa. So the UK was allowed to spy on US citizens and then provide that information back to the US, circumventing privacy rights and empowering each other with domestic surveillance ability. Echelon only applied to copper cable and microwave and satellite transmissions. Fiber Optic uses a different series of programs, such as the NSA program, but is already implemented and cooperative among the NATO allies and some other groups. The point being, the governments are already working together, and it is no stretch of feat or difficulty. The stuff that happens in another country is just as accessible as the stuff that happens in a gov's own backyard.

They can steal your whole route, bypassing your encryption because they can see the traffic leaving the vpn connection unencrypted as well. We caught a hacker trying to do this to one of our guys during DefCon on one of our verizon fiber lines. He got busted because he was stealing the whole route instead of copying it, and doing a poor job.

Negative. It actually increases the chance of them doing this because the passive surveillance systems consider encrypted traffic to be very interesting,r and will monitor vpn nodes more closely. These people are very smart, and as I said before, ham-fisted attempts to circumvent surveillance do not succeed in anything but putting you and your traffic under further surveillance interest.

Surveillance systems are a necessary evil, and will not be regulated by public laws and rules. They are required for a country to stay up to the gaming level of its competitors, and rather foolish not to. No laws will prevent domestic spying, as it is said, the master's tools will not unmake the master's house. The only question is how much the public is allowed to be shown, and how much the private corporations will be allowed to discuss. Take the whole AT&T spying thing and financial spying on the SWIFT network. Those were illegal and were not announced to the public. Only when there were whistleblowers did those programs get admitted. Secret spy programs are secret.

The domestic police agencies follow those rules, federal police such as the german BKA and others do not. They openly have spy programs and assist each other without warrants. You don't even have to have committed the alleged crime in germany, if any of the traffic crossed a network that germany has access to, the germans will provide it to their allies.

Thinking of source and destinations isn't applicable if you aren't multiplexing and encrypting across multiple nodes, because anyone sitting along the transit lines of the unencrypted traffic has it available for access and correlation. Think of it like "wire fraud" where the Interstate Commerce Commission steps in. Even though you are in texas and victim of the wire fraud crime was actually in california, the connection passed through nevada on the way to california, and therefore another crime was committed etc. Sovereign entities can and do ensnare transit traffic, and would be foolish not to. The idea that what goes on in one country is not available to another is a false presumption that disappeared with the digital age. The internet is a very small place, with 90% of all internet traffic going through the USA, even though it may be destined for another country.

 

SSH uses SSL/TLS. OpenVPN uses TLS. PPTP does not natively have encryption and requires additional protocols. L2TP may or may not have IPSec, which uses TLS and a variety of others.

 

Additionally, if you create an SSH tunnel with Open SSH server, you get whatever encryption the client requests. So with the Putty client you can choose between AES, Blowfish, 3DES, DES and Arcfour.

 

Yes in areas of national defense and covert activities. Maybe some other joint projects which in most cases won't concern the average law abiding individual. But even allied governments don't trust each other nearly as much as your above statement might lead one to think. In areas such as terrorism there is a great deal of cooperation, but consider this straw man. Looking back even to 2001 we now know for a fact that even US domestic agencies did not share a great deal of information.

Actually the domestic agencies federal or local often don't always follow the rules. In the area of internet we are most often talking about federal/government agencies. Provided they can't get uniquely identifying information via legal means they will sometimes use any means at their disposal to collect information, including botnets and many other hacker techniques. While this information can't be used in court, it can be used to direct their areas of inquiry and refine their searching techniques. They may recognize certain boundaries, such as hacking passwords and breaking into email account and servers, and they may not. Regarding warrantless information exchange. That may exist in areas of national security, but in order for German authorities to legally give information to another government, whatever that somebody did would have to be a crime in Germany. Even in that case, these things are not so easy at all and added to that is the fact that most governments follow the principal that they will prosecute their own citizens for crimes. This statement above is highly misleading.

Do I think governments, law enforcement, covert agencies always follow the law? No way! I can see what's going on. But neither do they openly broadcast this fact or want it in the news. That greatly limits their areas of interest and what they can actually do with any info they've obtained.

Well that's not the idea at all, we are talking about different things, that's all. And if you know beyond any doubt that countries share information on things like P2P downloading, or private bank accounts you have a level of access to information that very few private individuals have. Once again this can be seen from recent news on private Swiss banking and the Lichtenstein banking episode of the previous year. With billions of dollars at stake, the US government had to go into massive, high profile multi month negotiations to get part of what they wanted. If what you say were true, none of this would have been necessary. Individuals could have been identified by their data stream, specific revenue sources or money withdrawals patterns could be identified. The government could "stumble" upon those data points ( see my comment above about this covert information, that is not admissable in court being used to direct areas of inquiry) and start make their case against the tax evaders. At which point the Swiss would have had to hand over information based on their existing law.

While you still haven't outlined your objectives for me, from what you haven't said I can more or less gather what your system is aiming at.

 

There are different intelligence agencies with many varying and sometimes counter objectives, most you may never have heard of, such as the DIA, where some real power resides. They don't care about financial this or that, but the swiss issue is a dog and pony show at a low federal level anyway. The people busted were those foolish individuals who opened accounts in their own name. This is a diversionary tactic for the real reason the SWIFT system was co-opted. Those people who got "caught" didn't have billions, they had perhaps millions. The ones with billions used barristers and corporations behind corporations, and did not get caught or busted because the corporations name was on the book, not theirs. Nothing happens just for one reason, concerning international affairs.

 

Within a few days after this post, P2P data rates are virtually zero! Just goes to show that there is a lot more to privacy than setting up a vpn. It's also a state of mind. What we can find on internet, they can find too.

Did they read this? Can't be sure, but some coincidences are too improbable to always be coincidental.

 

Ouch! I'm sorry about that. This forum always gets high priority in Google searches. I guess that can be a good thing and a bad thing. Doing a search for the name of the VPN plus "P2P" gives this forum as the third hit on the first page. Just searching the name of the VPN (without any other terms) gives a hit on the third page.

But it does seem a little quick unless someone involved with the service was reading this forum. Or perhaps a customer who was concerned about reduced speeds read this thread and complained. Or more likely, someone read this thread, was interested in the service (especially the P2P aspect), e-mailed them and linked to this thread.

Sorry again.

 

Not your fault, it's mine. I did think twice before posting that, but I was thinking about lots of people signing up and the service getting slower. Not the company reading it. I should have PM'd you.

Webmasters normally look at site access logs and go look at websites that send them lots of visitors for a few days. Sometimes those are forum posts with clickable links, so it's easy for websites to see what people are saying about them. I didn't post a clickable link, but if you want to see what people are saying about your website you can type @mywebsite.com into google and you will see even the links that aren't clickable (but they normally donn't show up as referrers in website access logs so you have to actively look for them).

If you google:

@websitename.com wilder's

you'll find these forum posts are indexed in google.

 

If you give your internet browser the right to make outbound connections, doesn't that also allow any java/flash/ActiveX,JavaScript that is running on a webpage in the browser the right to make an outbound connection also?

I don't know anything about Proxomitron ...

 

My understanding is that if your SSH client is listening on 127.0.0.1/localhost, then all you have to do is allow your application to only access the localhost. Deny the application internet access and DNS lookups. You can even narrow the application's access to only the port that the SSH client is listening on.

I don't really use SSH, but I figure it should be the same as Tor. So, someone correct me if I'm wrong. I do know that configuring your firewall like that with the application that uses Tor does prevent most if not all of the leaks. If the browser does try to connect out, the firewall stops it.

Regarding Proxomitron, you can configure your browser to only go through Proxomitron, then you can configure Proxomitron to go through whatever client you want. From my experience, Proxomitron doesn't leak like browsers do. You can use Proxomitron to change your network connection settings instead of directly changing the settings in the browser. This works well if you only allow your browser to connect out through Proxomitron. What I do is drag and drop different CFG files into Proxomitron any time I want to change my connection settings (e.g. switching from direct connection to using Tor).

 

No, they run as independent applications and do not have to respect the browser's connection configuration.

 

can Steve or some one answer this question.

VPN uses TLS correct?

Apparently SSL/TLS can be decrypted and cracked with bluecoat etc
http://directorblue.blogspot.com/2006/07/think-your-ssl-traffic-is-secure-if.html
http://support.citrix.com/article/CTX116557

I have seen many links saying this. Therefore wouldn't it be much safer to use SSH encryption with blowfish or twofish128 etc??