Anonymous Services - Can We Get A List Going And Feedback?

Well I got this reply from SwissVPN:

SwissVPN is being operated based on Swiss Telecommunications and Personal Data Protection Law. Session IP's (not visited content, websites, mail, etc.) are being logged for 6 months.

In case of criminal offence against Swiss (!!) law authorities may
request informations based on:

http://www.admin.ch/ch/d/sr/7/780.1.de.pdf

Well the heck with the Swiss and probably any EU country, they probably all have the same BS rules that in order to have safety you need to give up some of your freedoms and privacy. Sorry but I won't do that!

 

My point, and Hiierophant's as well, precisely.

 

Ok I should of dug better into this, I jumped to quick.

So if you're going to get a VPN service and privacy is goal number #1, what country do you think is the best to get a VPN service through?

So far I have my eyes on these companies;

https://www.goldenfrog.com/ USA -
http://www.hidemyass.com/vpn/ UK -

Here's a couple of other services I remembered of in the past and forgot to include;

UltraVPN
https://www.ultravpn.fr/

Its Hidden
http://itshidden.com/index.php?option=com_content&view=article&id=48&Itemid=1

 

Avoid services with core infrastructure in the US, Europe or cooperating jurisdictions. Basically, focus on nations favoured as tax havens. The same considerations apply to information and financial security.

 

Ok well if you have a list of VPNs in such tax haven countries please let us know...

I really like very much what I'm reading on Linkideo, they certainly talk up a great story for freedom...

http://www.linkideo.com/


THANKS

 

Yes, I'm asking why don't you trust them?

 

This from the End-User License agreement on the Anonymizer web site:

Similar language is found in their Terms of Service and also their Privacy Policy.

Correct me if I'm mistaken, are you saying that what they state is not to be trusted?

 

Yes, that's what I'm saying. What would you expect them to say? And why would you trust the CIA as your anonymity provider?

 

I would expect them to say:

Wouldn't any legitimate anonymity provider in the U.S. more or less do the same? In other words, follow the law.

I don't know of any evidence that Anonymizer Inc., nor its parent company Abraxas, is literally the CIA. Is that really what you mean?

I'm asking, why should a person who follows the law (in the U.S.) feel threatened by using their services? What you say you believe is that they are doing the exact opposite of what they state publicly, that their services are designed to be fraudulent.

 

"Legitimate" and "follow the law" are highly-charged terms, designed to trigger obedience to "legitimate authority". Recall that aiding fugitive slaves was illegal in much of the US in the 1850s, for example.

OK, perhaps you like the CIA. Consider, then, an "anonymity" provider with very close ties to Chinese or North Korean intelligence. Would you trust them?

Vide supra, пожалуйста.

Lying is part of the job description.

 

Agreed with hierophant about what constitutes legitimate authority.

DB, what if your encryption came with a black box warning and TOS as to usage? Acceptable?

I want an anonymity provider who has a stated policy of no logging. Period. Since I can never be sure that they don't, I also want one who is not subject to U.S. LE jurisdiction. That's because I live and counsel in the U.S. I want this because I believe that communication needs to be able to proceed under any conditions deemed necessary, including absolute secrecy, for everyone, regardless of the content of their speech.

PRQ provides anonymity and they do minimal logging for troubleshooting.
http://prq.se/?p=company&intl=1

PirateISP is in beta trial and while I'm not sure exactly what services they will provide, I'll keep my eye on them:

http://pirateisp.net/

Ipredator is a possibility:

https://www.ipredator.se/faq/legal/

If you look over the TOS (limited as they might be) of these providers, you'll see that I'm still not getting what I want, which is an absolute commitment to anonymity, in the same way that I expect absolute integrity from a cipher. Theoretically, there is no difference, I think. A strong anonymity sytem should have parallels to the requirements for a strong cryptographic system. Here's a Wikipedia definition:

"Strong cryptography or cryptographically strong are general terms applied cryptographic systems or components that are considered highly resistant to cryptanalysis.

Demonstrating the resistance of any cryptographic scheme to attack is a complex matter, requiring extensive testing and reviews, preferably in a public forum. Good algorithms and protocols are required, and good system design and implementation is needed as well. For instance, the operating system on which the crypto software runs should be as carefully secured as possible. Users may handle passwords insecurely, or trust 'service' personnel overtly much, or simply misuse the software. (See social engineering.) "Strong' thus is an imprecise term and may not apply in particular situations."

 

All commercial anonymous services share this problem. They can log and even if we assume they are 100% trustworthy they will do it when there's sufficient pressure from a 3rd party.

If your service provider has to know who you are (i.e. at a minimum has to know your real IP) your anonymity has already been severely diminished.

Even if your provider offers "strong anonymity" /within/ it's network (as xerobank and cryptohippie claim for example) they are always weak to two attacks:
First is the already mentioned problem of "pressure", which can be monetary legal or "illegal", that is threats, extortion etc. (already assuming no insider attack!)
Second: A global attacker can see that you are connecting to them and he can see a connection out of the "black box" network to a final destination. Therefore even assuming padding, multiplexing and other techniques designed to make traffic analysis harder against low latency networks are absolutely bugfree and secure he can still make traffic analysis based timing and correlation attacks by simply watching you->first node and exit node-> destination. The feasibility of this depends on a large part on the size of the network. Anyone wants to make a guess how many users are connected through them at any given time?

Compare that to decentralized systems. Critics are quick to outline that they have some weaknesses against "global" attackers. But they fail to mention that every alternative is weak against them too. Twice as weak as I demonstrated above.

A high latency decentralized system is the only answer against a global attacker. Of course that means you can't just browse the www. But they work good for email and forums.

 

reckon the order would be Panama, Latvia, Russia, Canada, Sweden, Netherlands.

 

concur, thence using a VPN chain and for certain areas an additional socks5 proxy.

the human factor cannot be eliminated for any part

if you are on a shared VPN node how the 'attacker' is going to make the link to the various user IPs behind the VPN?

I fail to see how your ratio calculation of weakness pans out, traffic within a decentralized system can be sniffed by any peer, eventually decrypted and man-in-the-middle attacks can be driven. notwithstanding uncontrolled content delivery through unsuspecting peers

 

Note I say "global attacker", by definition he can see all traffic flow, going into and out of the VPN. The only way to mitigate this is by continuously sending bogus data. I don't think any commercial solution so far does this.

If you don't trust the crypto you have a problem either way, dpi through the ISP for example.
Traffic sniffing can only be done by exit nodes (or whatever they are called in a particular network), besides, it's a privacy issue, we are talking about anonymity.
Anyway, everything a random peer on a decentralized system can do, a centralized service provider _can_ do too.

Well said that it's a weakness calculation, not a risk calculation!

 

I was just asking for specifics about why you distrusted Anonymizer, I understand that people have sometimes broken the law for good reasons. But if illegal activity is a requirement, then Anonymizer is probably not a good match.

As Katio points out, and I'm sure you're aware, all commercial anonymity providers share this problem of the user not being able to verify much of what the provider claims. Are you sure that choosing a VPN based on political beliefs is going to provide the trust you're looking for?

I'll take your word that you believe the CIA Anonymizer would offer my private data to whomever for whatever reason they see fit.

Intelligence agencies aren't the only ones prone to this.

 

That's arguably true for service providers of all kinds, not just anonymity providers. The best approach, AFAIK, entails peer review and open discussion. Using open-source methods and software, such as OpenVPN, is also important. That's how it's done in the sciences, FWIW.

For services like Anonymizer, one entity controls the system, and one must trust that entity re one's anonymity and privacy. That's not so for onion-routed networks of mutually-untrusted nodes, such as Tor. OTOH, such networks are readily vulnerable to intimate participation by attackers. For systems controlled by single entities, infiltration is much harder, and attackers are typically limited to observation, participation as users, hacking, coercion, etc.

Onion-routed networks of mutually-trusted nodes are, IMHO, a very-promising approach. I suspect that such systems support some of the "commercial" anonymous VPN services, such as XeroBank etc.

I choose based on evident commitment to freedom and non-aggression.

 

What you live in Sweden? PirateISP I thought is only ISP for Sweden?

I heard that Ipredator, is from the PirateBay...

Relakks is in Sweden also...

I thought Sweden was bad?

Oh my bad SwissVPN says they log Session IP's, not visited content, websites, mail, etc., which are being logged for 6 months.

Canada, LOL, to hooked up with the Yanks below, I'd never use a VPN from there, to much USA pressure.

 

PirateISP has offered the beta trial just in Sweden right now, I think. I can't get much info on Linkideo. Two years back, they offered up a beta trial on a public forum, and were met with some skepticism. This is absolutely no reflection on their service, or lack thereof, just an observation.

Their site is not very informative. I don't see their location. Japan?

Agreed. Onion-routed networks of mutually trusted nodes make a lot of sense. And not coincidentially, that route would rely on a system of open discussion, peer-review, and standards, as well as internal industry oversight, upon which the reputation of the industry would depend.

 

Indeed. And to clarify, I mean onion-routed networks of mutually trusted, yet otherwise independent nodes.

 

Yes, thank you for the claification. I assumed this as well.

 

Well I thought it was bad to do business in Sweden...

Linkideo, from what I read online is either in the UK or France, but not sure if that's even correct.

Maybe a really nice secure way when in doubt is to connect through OpenVPN to a VPN service you feel comfortable, then connect again to Tor.

I don't see why you can't connect to a VPN then use the Tor browser.

 

All these locations except Sweden are available in double VPN chain from http://safe-inet.com/en

I don't think the actual countries matter as much as whether they are cooperating legal jurisdictions.

Port forwarding will work with their dedicated IP but may not with double VPN, in which case you would be better off with someone like http://anonyproz.com/ who assign a single IP to all connected clients. Do most single hop VPNs do this?

IMO Mullvad still offers the best value for most users, unless they live in Sweden or Netherlands.

 

Well not sure I really need to go as far as needing double vpn.

You're the second person to suggest Mullvad, there seems to be a bit of popularity coming out of Sweden for VPN, three that I know of, Mullvad, Relakks and Ipredator.

Why do you think Mullvad offers a good service?

I'm actually testing the trial, seems to surf pretty fast, but I wouldn't want to use their GUI for the service, I'd rather just install OpenVPN and connect.

 

Their custom client will protect against a VPN drop. If you use the standard OpenVPN client you will have to use third party software like VPNCheck or else properly configure your firewall. Software firewalls often cause port forwarding problems, sometimes even after they are uninstalled. For €5/month Mullvad offers unlimited download, unlimited speed, randomly assigned servers in Sweden and the Netherlands, and a no logging policy. Other Swedish VPNs like DarknetVPN and VPNtunnel.se offer the same but without the custom client or Netherlands server.