Sciencemadness Discussion Board - Your privacy is gone, get a VPN

Your privacy is gone, get a VPN

Pasrules - 8-4-2015 at 13:05

I'll try to keep this short. Technicals will be below.
Recently in Australia they have passed new data retention laws which require ISPs to hold your metadata for a minimum of 3 years.
However you can get around this problem buy purcheasing a VPN-virtual private network. A VPN works by encripting your data at your computer then sending it to your ISP then to the VPN server. Your ISP can't read what your sending and receiving because of this, this is your best interest concerning privacy.
I have been in contact with a sales rep and a very friendly customer support team about getting a discount on these VPNs for my Australian community of PC gamers and remembered i have another community with you guys which is why i thought it was very important to share this information.
Here is the provider i use: http://www.ibvpn.com/billing/aff.php?aff=3814&page=plans
And if anybody has questions feel free to post them or send me a U2U. Just to sweeten the deal i managed to get 40% off coupons for all my members when I got them for my community and it looks like I'll be able to do that for you guys too.

Technicals
What is meta data?
Metadata is the exact no interpretation needed of what you receive when you browse a webpage or receive something over the internet. If you want to look at an example most email services allow you to look a email source which displays all the ids of what and how it was sent.
What does this mean?
Well for us we research chemicals, specifically for me I research pharmaceuticals. This doesn't mean i'll get a knock at the door for doing it but it does mean if i get in trouble later down the track this information would look incriminating. To make matters worse some websites display illegal content which you may not even see but meta data doesn't lie that you've had access to it.

Here is a forum post from my friend stone who is a security analyst, he covers this topic in more detail then I ever will:
http://www.borderlinetactical.com.au/forums/forum/borderline...

Pasrules - 8-4-2015 at 13:08

For anybody who is a technophobe, to operate a VPN you just log in when you want to use it (similar to MSN), its just a small application in the task bar. The site link i provided above gives a 6-hour trial and a lot of support.

Chemosynthesis - 8-4-2015 at 13:25

Similar here as well: https://www.sciencemadness.org/whisper/viewthread.php?tid=61...
Linked for subject matter.

aga - 8-4-2015 at 14:11

What a wonderful way to covertly access data, and with nobody ever being able to see who you are, where you are, or what you are doing/saying.

Naieve to say the least.

We thought of that decades ago, established 10,000s of so-called VPN services so you can all pretend that you're browsing in complete security.

You are : just it's our security, not yours.

Oh, i'm not CIA. I meant Their instead of Our etc.

Simple things that YOU think of are of no protection to you, especially if you find them on the web.

Some readers may recognise that ciphers/codes/the breaking thereof have always been intensely interesting to the military of all countries.

Pasrules - 8-4-2015 at 14:29

I'm promoting these because they have more respect for privacy than the current Australian laws. Unless you want to run your own cable to every website you access, literal cable, than you can be compromised. There are free options you can take such as changing from your default DNS provided by your ISP. I recommend the OpenNic DNS http://www.opennicproject.org/ and here is a tool to test your current DNS https://www.dnsleaktest.com/

What is a DNS? well rather what does it mean to you? if you run the test from the link above it with show you exactly where your data (packets) travel to. In Australia we have the Melbourne data centre. To change your DNS instructions are provided within the top link.

Another precaution you can take is using a firefox browser with addons such as request policy (you can stop google analytics), Dolus (sends random information to location services) there are a few more I have but those are the important ones.

This is about making you more aware of your internet safety and privacy please do not take me as naïve.

[Edited on 8-4-2015 by Pasrules]

Chemosynthesis - 8-4-2015 at 14:34

It's entirely possible this won't be of much use, since the Five Eyes countries have been known to use each other to spy on the citizens of their own countries, so that they circumvent internal privacy laws and regulations.

But I don't want to get into that can of worms.

Pasrules - 8-4-2015 at 14:43

Yes keep that can of worms closed before people start thinking that they need to wear tin (aluminium) foil hats.

aga - 8-4-2015 at 14:51

My day job is running a network supplying people with internet.

Changing your DNS server settings is a bit like wearing cling-film underpants to protect your ass from Fire.

Bottom line is that no matter what google-searched efforts you make to 'protect' yourself from snooping, you are always vulnerable.

Your Best protection is to avoid doing online things that the authorities do not want you to do.

Generally that'd be a good thing all round.

Loptr - 8-4-2015 at 15:48

Ideally, you want to be able to hide amongst a lot of incoherent traffic. This is the concept of Tor, along with its use of multiple encryption layers, that get unencrypted as the message reaches each predetermined node in the Tor network. Each node can only decrypt a message encrypted with its public key, so neither before or after can understand its secret.

Bottom line, the more people use Tor, the better. Tor provides endpoint anonyminity, but not the fact that you are using Tor. With the use of data shaping proxies and such, you could in theory connect to Tor and no one be aware of that fact. If they don't know you are using Tor, then you don't become a random target for surveillance. The NSA has the computational power to break hashes and solve for keys, that is undeniable.

The more people that use Tor, the trash they have to sift through to find you.

Chemosynthesis - 8-4-2015 at 16:30

Tor has been discussed in the other thread to add to that.

Cou - 8-4-2015 at 16:41

Just use tor, it's free and a lot safer than a VPN. You never know if a VPN was secretly subpoena'd by the NSA.

Varmint - 9-4-2015 at 03:09

Wow, people still think they can achieve or maintain anonymity?

That's almost as bad as people ignoring all the lies and fabrications regarding global warming and still choosing to believe in it.

The absolute BEST way to have you data scrutinized is to try and protect you data from snooping.

A). You can't protect it, period.
B). Not wanting to get visited for researching certain topics look several orders of magnitude worse when you make an attempt to cloak it.

Imagine the following email message:

"Happy Birthday Mom!"

Sent in the clear, it looks like a dummy that should have picked up the phone and called his or her mother.

Sent "cloaked" it would automatically assume a level of interest far beyond standard traffic.

To think that they would never decode the content in the first place is, again, tantamount to still believing in global warming.

[Edited on 9-4-2015 by Varmint]

Loptr - 9-4-2015 at 05:40

Quote: Originally posted by Varmint

Wow, people still think they can achieve or maintain anonymity?

That's almost as bad as people ignoring all the lies and fabrications regarding global warming and still choosing to believe in it.

The absolute BEST way to have you data scrutinized is to try and protect you data from snooping.

A). You can't protect it, period.
B). Not wanting to get visited for researching certain topics look several orders of magnitude worse when you make an attempt to cloak it.

Imagine the following email message:

"Happy Birthday Mom!"

Sent in the clear, it looks like a dummy that should have picked up the phone and called his or her mother.

Sent "cloaked" it would automatically assume a level of interest far beyond standard traffic.

To think that they would never decode the content in the first place is, again, tantamount to still believing in global warming.

[Edited on 9-4-2015 by Varmint]

Yosemite Sam: Stop right there, varmint.

Yes, it is very difficult, but it is possible. You also have to be very aware of what you are doing and using, which also takes an understanding of the technologies that goes above and beyond most technical users.

You have to assume everything you interface with is listening to you, such as your computer, router, modem, ISP, etc. So how do you reduce the noise you make or ensure each one can't observe you? There is also safety in numbers, and that is an undeniable fact because the computational complexity and time requirements rise exponentially with every participating device. It also comes down to simple statistics, the more they have to watch, the less likely they are watching you.

I also liken it to duck hunting. If all the ducks scatter and fly at the same time, each individual duck has a greater chance of making it out of there alive.

Do not believe the lies that are designed to try and scare you away from attempts at anonymity. The reason behind wanting you to think it's futile is so that not as much work has to be exerted in order to achieve the same level of surveillance that has been such easily achievable in the recent past.

macckone - 9-4-2015 at 09:04

The best defense is to do nothing illegal.
As chemist that is difficult because of all the rules and
Regulations, some of which are silly (Pyrex coffee pot in texas?)
For the truly paranoid, use tor over a VPN hosted in Romania.

Very few things are going to protect you against traffic pattern analysis.

Loptr - 9-4-2015 at 09:49

Quote: Originally posted by macckone

The best defense is to do nothing illegal.
As chemist that is difficult because of all the rules and
Regulations, some of which are silly (Pyrex coffee pot in texas?)
For the truly paranoid, use tor over a VPN hosted in Romania.

Very few things are going to protect you against traffic pattern analysis.

If they can observe the entire Tor network at once, then they will start to determine correlations between messages sent and messages forwarded. There have been developments where some messages are bundled together, so it makes a correlation ever more difficult.

Yes, the ultimate defense is to do nothing wrong, but that is only given in a fair game. It has come to the attention of the public that a fair game isn't being played, and is one that utilizes drive-by attacks where the innocent are being scrutinized as well.

As you have seen in the news, drive-by shootings kill bystanders.

Don't be a bystander.

[Edited on 9-4-2015 by Loptr]

aga - 9-4-2015 at 11:13

Quote: Originally posted by Loptr

I also liken it to duck hunting.

I liken it to a simple matter of CPU power.

Given enough (and there is more than enough), all the ducks are toast.

A consortium of intelligence agencies started Tor and make a good profit selling the info they harvest.

Don't tell me you believe the whole Story ?

Sheesh. People will believe the Advertising bullshit next, and that a Burger and fries is good for cholesterol (they are, but it's damned hard to extract in a pure form !)

[Edited on 9-4-2015 by aga]

Loptr - 9-4-2015 at 12:23

The concept may have been developed by the Naval Research Laboratory with DARPA support, but as of 2004, it is open-source and run by the community.

Tor also has an active academic interest in breaking it. Yes, there are existing attacks, such as correlation and vulnerabilities in client software using it, but so far there hasn't been a true vulnerability in it's concept. Most of them rely on viewing the entire Tor network in real-time using something like Bayesian traffic analysis.

But hey, what do I know, I'm only a programmer that has worked on a distributed big data processing and automatic classification and inference system utilizing a 4 dimensional world ontology, hadoop, storm, and a myriad of other big data related technologies that ingests documents, videos, sound recording (voice), etc., and extract natural language, topics, noun-verb-subject triples, and runs sentiment analysis, etc., etc. I know very little about the abilities and limitations of "CPU power"...

If you were talking about computational complexity theory, there do exist some problems that can't be solved given it's required polynomial time by a deterministic Turing machine. The point being, the more power you throw at something doesn't necessarily reap rewards.

[Edited on 9-4-2015 by Loptr]

aga - 9-4-2015 at 12:36

Not all CPU Power involves Silicon : carbon based CPUs can also be applied in huge numbers.

Edit:

Carbon based CPUs like Yours that make the millions of silicon based ones do the stuff you want.

[Edited on 9-4-2015 by aga]

macckone - 9-4-2015 at 14:02

Traffic pattern analysis also called correlation analysis is very powerful. For example, they can detect when you send something and when a website is accessed and corresponding return traffic, they can make the connection that you are browsing a particular website. If you make a post, they can link your online activity to that post and the username. Of course for traffic analysis to work they have to have access to the information about data travelling over the Internet. The best way to come to their attention is to use tor or vpns. They can't prove it is you but it is often sufficient to get a warrant to allow more extensive monitoring. Silk road and silk road 2 were taken down using just such analysis.

aga - 9-4-2015 at 14:18

Analysing patterns of Which IPs you access, When and the Quantity of data you transfer (in each direction) tells a tale.

Points out which data streams to target.

But then what would i know ?

(factual data of my electronics/computer programming life before, during, and after internet inception and development omitted to avoid any attempt to pump my ego).

Loptr - 9-4-2015 at 14:29

Quote: Originally posted by macckone

Traffic pattern analysis also called correlation analysis is very powerful. For example, they can detect when you send something and when a website is accessed and corresponding return traffic, they can make the connection that you are browsing a particular website. If you make a post, they can link your online activity to that post and the username. Of course for traffic analysis to work they have to have access to the information about data travelling over the Internet. The best way to come to their attention is to use tor or vpns. They can't prove it is you but it is often sufficient to get a warrant to allow more extensive monitoring. Silk road and silk road 2 were taken down using just such analysis.

Actually, what brought them down is the servers were infiltrated. They may have attempted analysis, but ultimately, they hacked into the machines.

aga - 9-4-2015 at 14:50

I think Loptr would agree that given enough Interest (which there Is) the Resources have already been deployed to make all of our online activity Transparent to those who deployed those resources, and things such as Tor are simply bits of flimsy Glitter to trap those who think they just Googled a 'solution'.

Fact is that Users of the Internet are not as empowered as the Makers, or the Owners.

Loptr - 9-4-2015 at 15:18

I think great strides have been made in that direction, but majority of intelligence is gathered by other means than decrypting encrypted traffic.

Remember, as the governing body, they can impose requirements to all electronics manufacturers that suit their needs.

For most datum of interest, they already have a direct line for inquiry. They have to really want to go after you in order to start decrypting your traffic. This doesn't mean they won't target subsets of traffic related to a particular point of interest, such as dark markets, which as you all know, where there are drugs, there are typically funding routes back to people of interest. So not only stay away from the shady parts of anonyminity services, but don't become grouped with their traffic. Then you must just find yourself in the middle of some drag net operation.

They have the resources, and definitely time, on their side.

Also, there are multiple aspects of intelligence, signals, human, etc., so they work from multiple angles. Just as they would if they were targeting a IED manufacturing network in Iraq; they attack the network--that being the people, places, interactions, things, time, and associations between them.

aga - 9-4-2015 at 15:22

Agreed, wholeheartedly.

Any notion of Safety is always an Illusion.

Live fast, die young, leave a good looking corpse.

Never think you're cleverer than the Machine that is the Power structures of this world.

Loptr - 9-4-2015 at 15:36

But in the end it still comes down to the more you do to remove your public facing profile, the better.

Aga is right, in that mask can be removed at anytime, because they do have the resources.

It's a question of whether taking on an entire network is worth the man years and funding to pull it off, and then once it has been accomplished, to then sustain it. This is why I say the more people protecting themselves, the better, because it increases costs for them to continue to do so. It also becomes less effective if all traffic starts to go over Tor.

(I am not a Tor salesman, there was another project, i2p, that I was considering taking a part in a while back in favor over Tor, simply because it was a newer project and there were already lessons learned from Tor, but then life happened, got married, had a baby almost immediately, then fourteen months later, another one...now hardly code in my down time like I used to. At one point I was maintaining a homegrown unix clone that I had written as a member of the OSDev site, but that has also come to a hault. Enjoy life when you are young, because damn, once it changes, it's gone. lol)

So, please, for the love of god, people, use the https://www.sciencemadnes.org/whisper version of this site. I keep meaning to get back with Polverone on some changes to the Apache httpd configuration that will handle the redirects, but I keep getting pulled into crazy political trists at work, and home time is full of taking care of the kids. I will get to it eventually, Polverone, I promise.

[Edited on 9-4-2015 by Loptr]

[Edited on 9-4-2015 by Loptr]

aga - 9-4-2015 at 15:57

Life has a way of just Happening all by itself, with no regard to what we want.

Sciencemadness Https (aka whisper) is pointless.

If you're discussing Online some seriously Bad Shit, it may be 'secure' when you type it, yet a few seconds later it's been magically altered into plain text.

E.g. spider the site using https. Oops.

Loptr - 9-4-2015 at 16:04

Well, I was pushing the HTTPS mainly for the reason your username/password being transmitted over HTTP being a bad thing.

Now, yes, there are tricks for an MITM attack where I can force you session to downgrade to a defective version of SSL or TLS, or even back down to HTTP altogether, both that is a separate issue.

And again, it would require a targeted attack.

[Edited on 10-4-2015 by Loptr]

Also, not to mention, if they don't see your content going back and forth, then unless they have access to the site logs, they don't know who you are on the forum. Without an identity in hand, they have no idea what you are saying. So why hand out your identity like that? They would have access to your session cookies, and any other identifying metadata that would be sent in the HTTP headers. There is also the possibility of then injecting content in the returned HTTP responses to execute javascript within your browser and try and fingerprint your machine, such as accessing an img hosted on their server to get your gateway IP address, etc.

[Edited on 10-4-2015 by Loptr]

It's also just standard operating procedure for majority of sys admins in the world, as I would expect of you, aga, as you say you help run a network.

[Edited on 10-4-2015 by Loptr]

macckone - 9-4-2015 at 20:00

Quote: Originally posted by Loptr

Actually, what brought them down is the servers were infiltrated. They may have attempted analysis, but ultimately, they hacked into the machines.

Not to quibble bits but they hacked into machines and actually put machines on-line (no one controls who adds machines to tor) to do the traffic analysis. They also used human resources to contact those suspects to further enhance the certainty they had the correct suspects before they actually got warrants to tap computer hardware. Once they had 'suspects' they were able to get warrants to plant software on those suspects personal machines. Once they have a warrant you are basically screwed. Tor is secure as long as noone can monitor your personal computer or traffic to your entry node. Once they can monitor that traffic they can correlate it to traffic on web sites of interest and exit nodes etc. It is uncertain how many entry and exit nodes are currently compromised by security agencies. Adding a VPN to move your entry IP offshore might provide some additional security, but only if it is in a country that doesn't honor requests from american (or your country of residence) law enforcement or security agencies. HTTPS is fairly secure if you disable SSL and only use TLSv1.1 or higher and you monitor the certificate that is presented.

Loptr - 10-4-2015 at 04:06

No argument from me, macckone.

A lot of things take place during that sort of operation.

Like I said originally, majority of intelligence comes from people, the humint factor.

aga - 10-4-2015 at 11:08

Reminds me of an argument i once had with a rival wifi network operator.

We were back and forth with all sorts of technical banter about vulnerabilities, security etc.

Eventually he won the day by saying :-

'Nobody witholds passwords from a man with a gun, or a big hammer'

Loptr - 10-4-2015 at 11:33

Quote: Originally posted by aga

Reminds me of an argument i once had with a rival wifi network operator.

We were back and forth with all sorts of technical banter about vulnerabilities, security etc.

Eventually he won the day by saying :-

'Nobody witholds passwords from a man with a gun, or a big hammer'

Well, that is the where the idea of keys come into play. You can't tell them if you don't know it because it is so large.

I honestly don't know a lot of my passwords, so if you were to ask me, I honestly wouldn't be able to tell you.

aga - 10-4-2015 at 13:24

Likely that you'd perform whatever action you were asked if a gun were to your head, or your child's.

I know i would.

Bypasses all of the tricky security, passwords and keys neatly.

Basically there isn't any computer data worth more than a life that i care about.

Loptr - 10-4-2015 at 13:38

How has this discussion come to this???

My head is spinning trying to make the connection with the original topic.

Why are we arguing physical access is ownership? Yes, absolutely.

aga - 10-4-2015 at 13:50

Basically we were arguing about technological measures to ensure 'security' as in data paseed to-and-fro on the internet.

We started disagreeing, saying it *can* be secure, and we ended up here, agreeing that it never really is.

So no, don't bother with a VPN IMO.