Why pay for an everyday VPN with bitcoin?

Discussion in 'privacy technology' started by Stifflersmom, Aug 11, 2013.

Thread Status:
Not open for further replies.
  1. Stifflersmom

    Stifflersmom Registered Member

    Joined:
    Jan 3, 2013
    Posts:
    45
    This question is for the common Wilders user who uses a VPN for everyday security purposes.
    Why would you pay for the VPN in bitcoin? A lot of privacy articles/sites are now suggesting using bitcoin to pay for VPN to preserve anonymity, but to me that makes no sense unless you are always connecting from remote internet drops. If the VPN is forced by law enforcement to monitor your connection, they can still see your original IP address. The only benefit to paying with bitcoin is if you are truly trying to maintain anonymity which means you are connecting from public internet. Am I missing something?
     
  2. jedisct1

    jedisct1 Registered Member

    Joined:
    Jul 7, 2012
    Posts:
    39
    Location:
    San Francisco, CA
    You can always chain multiple types of transport: Tor, proxies and VPNs, and spread them across different countries.

    A lot of people are doing fraud on the internet in plain sight, yet it takes a lot of time to catch them because this is the kind of techniques they use to cover their tracks. In this context, Bitcoin other e-currencies make a lot of sense.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    No, you're not. I don't think that it helps very much to use Bitcoins for VPNs that you access directly.
     
  4. JackmanG

    JackmanG Former Poster

    Joined:
    May 21, 2013
    Posts:
    284
    Yeah, I think you are. Note, I notice you use the phrase "everyday VPN"...as if to say "not for traffic you necessarily want to keep secure and private, just for typical day-to-day use." In that case, I'm not even sure why someone would be paying for a VPN at all. If all you're doing is checking your gmail and sports scores, I don't see why you'd even bother...let alone absorb the extra cost. What's the point?

    But if you're using a VPN because you are engaging in activity that is potentially consequential, you'd probably be interested in the most anonymity/security/privacy you can have. So I have to admit, I'm not completely sure what an "everyday VPN" is.

    That being said, while it's true the VPN knows your originating IP address, I don't think the threat is coming in the form you describe.

    I can think of basically three scenarios:

    1) The enemy is monitoring the traffic of a specific site, and then working back to the visitor...meaning they would identify a vistor's IP as that of a VPN, then go to the VPN and identify the user account that visited the specific site at a specific time, and determine the originating IP address. (And then go to the ISP and link the IP address to an account holder.)

    The first problem with this is, if we're talking about a black hat hacker, it's virtually impossible. The odds that someone (and by that I mean even a crew of any feasible size) could break into a VPN, identify an IP and link it to specific traffic, and then break into an ISP and link an IP to it's human account, are basically zero. (And if anyone did have the skill and resources to do that, they'd be off digitally robbing banks or something else with a much bigger payoff.)

    If we're talking about a government agency, the sheer amount of red tape associated with such an operation, make it only slightly easier than the hacking operation.

    The second problem is, it assumes the number of people accessing that specific site at any given time through that VPN is low enough to be manageable. (In other words, if even a few thousand people are visiting a site through the VPN at any given time, there would be virtually no way to single anyone out.) But further, any VPN worth their salt isn't going to have such records anyway. (I go into this here.)

    So this route is basically useless. There is virtually no way to simply have a honeypot site which you expect to use and be able to trace random traffic back through a VPN and identify a user. (Which again, even assuming you could somehow identify an originating IP address (which you shouldn't be able to), would also require cooperation and timing data from an ISP to link an IP to a human identity.)

    Not even the US government is going to have the power needed to accomplish this, and even if they did, the cost is simply too high. They're going to target those not using VPNs long before they'd jump in that swamp. Just like any common thief, they're going to go after the lowest hanging fruit.​

    Another possibility is:

    2) The enemy is looking for potential targets to monitor, so that they may then catch someone doing something of consequence. This is where bitcoin would add an extra layer of security. Electronic purchase records are virtually public. Obtaining that kind of data isn't extremely difficult for a skilled hacker, particularly one with resources. And of course it's even easier for government, as even local law enforcement could get credit card records quite easily...and it's not too much more trouble to get a live monitor (especially for higher branches of government.)

    So, if you're looking to simply catch someone (i.e. "who" doesn't matter to you) doing something online that you could use against them, odds are someone using a VPN would be a good target. So it's feasible that anyone with purchase records for a VPN service would raise a red flag, making you a target. This would be avoided by using unconventional payment methods (e.g. cryptocurrency) to purchase the service. (Meaning, potential enemies would have almost no way of knowing you use a VPN.)​

    The third possibility is:

    3) The enemy has already identified you as a target, and wishes to monitor your activity. In this case, depending on the resources of the attacker, yes, even using a VPN (let alone paying for it in an anonymous way) may be useless. If they are able to compromise your machine, there's little a VPN would be able to do anyway.

    But, the scenario you posed, for example, supposed an LEA had knowledge of you being a customer of a particular VPN company, which allowed them to go directly to that company and demand a monitor of your traffic.

    Here again, I find this highly unlikely, as, if you're genuinely concerned about security/privacy — and, why are you paying for a VPN if you're not — you're going to be using a VPN outside of your jurisdiction. The odds that the government of the jurisdiction you reside in would be able to force the law enforcement of the jurisdiction where the VPN is stationed to force the VPN company to give them access to your personal traffic, are essentially nill.

    But just for the sake of argument, assuming all that happened...here again, paying anonymously would add protection.

    If you pay anonymously, the VPN would have no way to identify your traffic other than your originating IP address. The problem here comes in the fact that most IP addresses are dynamic, and can easily change.

    This means, that your enemy would need to be constantly monitoring your ISP account to determine your IP address at any given time, and be able to communicate that address to the VPN company in real time, telling them to monitor that traffic. (Because again, even if the enemy obtained a record of an IP address you had in the past, we're assuming the VPN doesn't have records of historical traffic, so the only way they could help an attacker is if they make a specific effort to monitor you in the future.)

    All this is much more difficult than if the VPN company simply knew which account was yours through their pay records. (In which case, it wouldn't matter what your IP address was. Your enemy wouldn't even need it. All they'd need to know is which VPN company to go to.)​

    So ultimately, you have somewhat of a point, but there are at least two scenarios in which using cryptocurrency would add to your security in a significant way.

    To be honest though, I think the appeal of paying anonymously has more to do with simple hygiene than guarding against any perceived attack: At the end of the day, if you reveal your identity to the VPN, that's a break in the chain...because they know who you are, and they can monitor your traffic. By paying anonymously, you essentially remove this possibility. This way, to get your identity, the VPN would have to have collaboration with your ISP, and to get your activity your ISP would have to have collaboration with the VPN. The odds of this collaboration are virtually zero. But if you willingly identify yourself to the VPN, you yourself have broken the chain.

    Of course, the odds that a VPN could or would do anything with that info are also quite low, so as you suggest, bitcoin may be a bit overkill...especially if you're just playing Minecraft. But then again...if that's the extent of your Internet activity, why are you paying for a VPN in the first place?
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    @JackmanG

    OK, you make some good points. I use nested chains of VPNs, and have come to consider the first VPN as a throwaway. Still, I don't think that it's worth using highly anonymized Bitcoins for the first VPN. Once through a mixer would be enough for that.
     
  6. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I look at this way: If it doesn't hurt, and you don't mind doing it, why not? I have not found a way that it hurts, yet.

    That was a good post JMG. My main reason for doing so is if the VPN's payment records get grabbed because of someone else, I don't want to get "swept up" in the frenzy.

    I use a VPN that I trust (warranted or not, but I think they truly are) and they have schemes implemented that separate payment from operation, logging etc... But even if active monitoring was occurring, there still isn't a credit card payment sitting somewhere, adding even more confirmation.

    PD
     
  7. Grassman20

    Grassman20 Registered Member

    Joined:
    Jul 14, 2013
    Posts:
    26
    Location:
    USA
    It may not be necessary, but I agree: why not? It's hard to foresee every possible vulnerability and you never know if using bitcoin for your VPN might actually thwart someone's attempt to trace your activity. It's really no effort to use bitcoin so it couldn't hurt.

    Personally, I also like the idea of doing what I can to support the adoption of a decentralized currency.
     
  8. Stifflersmom

    Stifflersmom Registered Member

    Joined:
    Jan 3, 2013
    Posts:
    45
    This discussion was very good. I appreciate all your opinions (especially you, JackManG). Thanks again.
     
  9. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    Hi just wanted to say thanks also for this thread and JackManGs efforts and great post.

    I would like to ask however, do you feel it is a good idea to use a VPN 1 and tunnel it to VPN 2, and then do what you need online ?

    I too was concerned since I figured I connect to my ISP IP, and then connect to my VPN so in-between this time they do notice or see I connect to a VPN.

    My VPN advises to get around this is to add an extra anonymity layer and connect to Tor over VPN, so you connect to TOR (a different IP) and then to there VPN, perhaps this is all that is needed and no need to do VPN tunnelling hence saving cost ?
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    @TheCatMan

    Yes, you can connect to a VPN through Tor. But to avoid a money trail, you must either use a free VPN (such as SecurityKISS) or pay with highly anonymized Bircoins or cash by mail.

    You can also connect to Tor through a VPN. And you can even connect to Tor through a VPN, and then connect to another VPN through Tor :)
     
  11. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    thanks I think connecting to a VPN via bitcoins and then connecting Tor over VPN, so not even your VPN knows your IP is the best 100% and cheapest route :)
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I think that you have it backwards. To get "not even your VPN knows your IP" you need to be connecting a VPN through Tor, not "connecting Tor over VPN".

    But maybe we're referring to different IPs. Which IP are you referring to, your ISP-assigned IP or the exit IP that Internet sites see?
     
  13. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    Hi yeah I meant VPN with Tor, not over it.

    What I mean is I want to connect to my VPN, but I don't want my VPN provider to know what IP I am connecting from ie my real isp ip.

    Would the exit ip be an issue? surely they will still see the VPN ip or tor ip ?
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I'm still confused :oops:

    From this statement, I conclude that you want the VPN tunnel to be routed through Tor. In that case, your ISP would see a Tor entry guard IP, and your VPN provider would see a Tor exit relay IP.

    Internet sites would see the VPN exit IP. They wouldn't see anything about Tor, except for unusually high latency.

    You can accomplish this using Whonix, by creating a VPN client in the workstation VM. You can either go old school with the openvpn daemon, or use Network Manager. There are instructions in the Whonix wiki.

    But for this setup to be useful, you need to either use a free VPN, such as SecurityKISS, or pay a VPN provider using cash through the mail, or highly anonymized Bitcoins.

    It's easy to highly anonymize Bitcoins using -http://app.bitlaundry.com/-, -http://www.bitcoinfog.com/- and -https://en.bitcoin.it/wiki/OnionBC-, with 3-4 instances of Whonix with Multibit wallets. After 3-4 mixes, you have none of your initial Bitcoins left, and reliably tracing purchases back to you would be very difficult, if not impossible.
     
  15. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    thanks for the info, yeah been playing around with virtual box, and whonix looks good. Will consider bitcoins payment on my next vpn some time in the future :)
     
  16. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Thanks for the extended a very useful post on reasons why paying with Bitcoin is probably a good idea, regradless of one's VPN use scenario.

    I do think you leave out one possibility, when you dimiss the idea of "everyday VPN" use. I think a lot of people don't like the fact that their every online move is being tracked by Google, Facebook, ad newtorks, etc. For someone like that, purchasing a VPN service with Paypal makes some sense. Of course, they'd have to be careful about cookies, javascript, etc., also. Even when it comes to RIAA, MPAA, etc., I don't think they really have the legal or even extra-legal authority to demand a list from Paypal a priori of everyone who ever purchases a VPN service (and it's unclear how such information would be useful to them anyway). I can only see the government doing that and I don't think that kind of pseudo-legal NSA monitoring is being done in the service of the record industry (the RIAA can't really make a civil case against someone based on secret NSA spying and this is hardly the kind of case that's going to be taken up in a secret court proceeding).

    It seems like the biggest problem with a Paypal purchase of VPN service that you raise is that it might just get you on some sort of government watchlist. Although I do wonder if VPN use is wide enough these days, through the popularity of services like Private Internet Access, that it would not in and of itself be treated as suspcious activity.
     
Loading...
Thread Status:
Not open for further replies.