
Which VPN Services Keep You Anonymous in 2017? - fraqed
https://torrentfreak.com/vpn-services-anonymous-review-2017-170304/
======
remx
There's no way of proving a VPN provider is _not_ logging[0]

Also worth reading this guide which is much more comprehensive than that
TorrentFreak article:

[https://thatoneprivacysite.net/vpn-comparison-
chart/](https://thatoneprivacysite.net/vpn-comparison-chart/)

[0]
[https://gist.github.com/joepie91/5a9909939e6ce7d09e29](https://gist.github.com/joepie91/5a9909939e6ce7d09e29)

[#] [http://blog.hidemyass.com/2011/09/23/lulzsec-
fiasco/](http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/)

~~~
jpalomaki
Or worse - stealing your secrets or injecting malware. I think these are ok
for specific use cases like p2p, but I would not use them for general
browsing.

------
i336_
Thankfully HN is not a VPN discussion site, so I have the freedom to say this:

The VPN market is completely artificial. You can completely sidestep all the
inflation by getting your own VPS or server. I've found this is tons cheaper,
and you have complete control over the hosting provider. I can recommend Feral
or UrDN myself; I've heard very good things about both, they are worth your
time checking out. I also have good but limited personal experience with
Contabo; they generally have admirably high CPU and network load tolerance,
but they _are_ in Germany. For 100.00% assurance find somewhere in
Switzerland.

Configuring OpenVPN (or SoftEther if that floats your boat) yourself also lets
you remove the server-sent default route stuff, which makes the process of
configuring your own local routing setup a little more elegant. (It also
teaches you a lot!)

There's also the massive benefit that because the VPN machine itself is
(presumably) just a Linux box, you can run Tor, Freenet, Tox, etc etc on the
machine, and benefit from that connectivity everywhere - while completely
moving those traffic profiles away from yourself. Win!

Also: it's _VERY_ easy to only run specific applications over the VPN link. I
did this for a friend running FreeBSD a few months ago using two FIBs.

~~~
wakkaflokka
If you host your own VPN on a CPA, couldn't the authorities simply link your
VPN IP (the VPS IP) to you via billing? Or am I not understanding how it
works?

~~~
i336_
Unfortunately not sure what you mean by CPA, haven't heard that acronym before
and Google only came up with "Cost Per Analysis" :P

Theoretically speaking you're completely correct. The main mitigation in
practice is to find providers in different countries which are unlikely to be
cooperative given the context - for example most countries will look down
heavily on picture sharing of certain kinds (if you get what I mean :( ),
while different countries have different policies on torrenting.

I've (solely anecdotally) heard good things about UrDN (used to be Ukraine,
now Sweden); Feral Hosting runs in the Netherlands, a country often used for
VPN type things (and if I understand correctly, you can get _up to_ \- big
asterisks - 10Gbps-20Gbps with them, _without_ bazillions of $/mo); and I
understand Switzerland's laws are torrent-friendly, so getting hosting there
is expensive but kind of the gold standard.

As I said before, the VPN industry/scene is artificially inflated. Getting
OpenVPN up and running is actually a lot easier than you might think, I had it
on my todo list for months (getting a VPN running on a VPS for a friend) and I
ended up getting OpenVPN itself AND per-application tunneling going on FreeBSD
in about 2-3 days, with resilient client- and server-side autoconfiguration
scripts stabilized after about a week. There aren't really any tutorials but
it's all fairly easy to do. Unfortunately Windows doesn't do per-app tunneling
that well, if at all, I don't think.

I'd recommend playing with OpenVPN between for example two local machines/VMs,
or ideally a local machine and a VPS somewhere (even one you're not planning
on using for whatever the VPN would be for). This is because your LAN will
always be more forgiving and responsive than the Internet, and also because
"oookay, so now I can reach my laptop from 192.168.0.3 _and_ 10.0.1.15" isn't
as interesting (to me) as "my laptop is 10.0.1.15 and my VPS is 10.0.1.16!".

If you're familar with VM networking or can accept the additional load of
learning about that concurrently then go for it with VMs, but I wouldn't
recommend it otherwise - your goal is to set up OpenVPN between a remote host
and your local computer, not to specialize in networking two VMs together.

There's also the possibility of tethering one computer to your phone for one
end of the network (with your phone using its data), and using your existing
internet for the other end of the network. That's if your cellular ISP allows
VPN traffic. I wouldn't advise using your phone's VPN client for initial
experimentation/setup, its debugging will not be _nearly_ verbose enough to
diagnose any issues.

~~~
wakkaflokka
Sorry, that was a weird autocorrect, I meant VPS, not CPA lol.

I see what you're saying now. Choose a VPS provider who does not store your
information or is not cooperative with legal requests.

In terms of privacy, what's the difference between trusting a VPN service
(i.e. iVPN) versus trusting a VPS service? Or are we talking the benefit is
solely in the decreased cost of runing a VPN on a VPS?

~~~
i336_
No sweat.

> _I see what you 're saying now. Choose a VPS provider who does not store
> your information or is not cooperative with legal requests._

Not storing information (eg, accepting Bitcoin) is mildly rare, I think, and
the ones that Google easily turns up are categorically going to be expensive
(since they're the ones fielding inquiries from who-knows-who with who knows
what agendas). Places that aren't interested in info _and_ are cheap on top of
that are edging into the hens' teeth sector; they exist, but they take a
truckload of digging (usually asking around) to find. UrDN aren't everything
but they're an _entry-level_ example of such a host. FWIW I learned about them
from someone I was talking to on IRC (for other reasons, the conversation got
to VPSes and they mentioned them).

> _In terms of privacy, what 's the difference between trusting a VPN service
> (i.e. iVPN) versus trusting a VPS service? Or are we talking the benefit is
> solely in the decreased cost of runing a VPN on a VPS?_

Looking at the tables on [http://vpngate.net/](http://vpngate.net/) (headsup:
practically 30KB/s :P) you can see "Logging Policy: 2 weeks" ad infinitum.
That's one example of nice transparency that I can recall. The only time I
setup a VPN it was on top of a VPS so I don't actually have any sort of idea
about the VPN market per se, in particular where to find concrete logging
info. That said, speaking from a security standpoint, let's say someone wanted
to exchange pictures/videos in the "exceptionally unsavory" category, they hop
on Google, find a VPN that says "Logging: None!!", say "great!" and use that
VPN for whatever cuz it won't be tracked. ....Nope. Not realistic. So, IMHO,
from a good infosec standpoint, any VPN provider that says "no logging" is
doing so solely to be a honeypot, or at least I would hope they are actually
still logging! If they actually aren't that's heinous laziness. Of course,
these providers are used as tunnels for torrent traffic on a daily basis,
logging policies notwithstanding.

If you've ever used Wireshark (or have a quick look at what it does), you can
get an idea of packet capturing. It's trivial to do this on a central gateway
or router for any network (or Internet)-connected server/service, and you can
log all throughput to a machine without making any changes to that machine.
The main two questions are storage and processing.

If you have say a dozen 100Mbps machines you want to log, that's (assuming
continuous 100Mbps throughput the whole time; unlikely but possible)
(((1024^2) _12)_ (24 _60_ 60)*12)/(1024^4) =13.04TB of data after 24 hours. If
those 12 nodes get 1Gbps connectivity that becomes 135.89TB of data, and if
you have 1000 1Gbps nodes you have 11.32PB of data to store.

But once the data is stored, assuming a 24 hour window it must be completely
processed within that window because it will be completely discarded afterward
(literally overwritten).

Need to go to sleep, can elaborate further in a few hours

~~~
i336_
NOTE NOTE: I used Google to try and get terabyte/petabyte values for all the
numbers above. I was too tired to realize it wasn't dividing by 1024 but by
1000. Woops... :)

How the info is processed depends on budget. The NSA had an estimated $10bn+
budget four years ago; I can only assume it's skyrocketed. That's just public
estimate guesstimating off of visible operations; the budget itself is
classified and I wouldn't be surprised if the (official, ledgered) budget was
even higher. So, for the NSA (and similar black-budget groups) you likely have
multiple exabytes (tens - say, even _hundreds_ \- of exabytes?) of diskspace
to work with.

Going off what I assume is saying 16.8Tbps on "Trans-Pacific" at the bottom
right of
[https://www.telegeography.com/assets/website/images/maps/sub...](https://www.telegeography.com/assets/website/images/maps/submarine-
cable-map-2016/submarine-cable-map-2016-x.png), that generates
((16.8/8)(1024^4))(606024)=177.18PB of data in 24 hours assuming continuous
peak throughput, or at least that's what it would generate if that cable is
still only doing 16.8Tbps. Given that small(ish) companies like Backblaze can
handle 200PB in a fairly small datacenter, capturing all data that goes
through that cable for a few hours doesn't sound too unreasonable for the NSA
or maybe a few others.

So there's that.

It gets crazy quickly though:

2 days: 354.37PB

3 days: 531.56PB

4 days: 708.75PB

5 days: 885.93PB

6 days: 1.03EB

7 days: 1.21EB

8 days: 1.38EB

9 days: 1.55EB

That's not taking compression and dedupe into account (which will definitely
afford huge savings), but it's also not accounting for processing overhead,
which will want to generate intermediate datasets (which themselves will be
huge) and so forth.

So the main difficulty is _time_ ; unless all (presumed) 10 billion dollars is
being spent on buying disks, power to run those disks, and invisible ink to
make the physical space and power usage go away (however would be appropriate
for the situation...? I have absolutely no idea), well, your storage capacity
is going to be finite.

So then you need an incredible processing system that, within the storage
window you have available, processes the information such that you extract the
useful tidbits out and can discard the rest. That's the "the NSA is hiring
kids out of grad school!" bit. (And I'm all the way over in Australia and I'm
aware this happens. I think I learned about it on here.)

So I'm using the NSA as the "ideal best case scenario" because they have way
too much money, are probably doing a bunch of what I'm describing, and this is
a fun mental infosec challenge. Obviously your random VPS or VPN provider
isn't going to have any this... but oh hey, the NSA is probably tapping those
lines anyway, because duh. Remember, of course, that packet switching networks
can route data anywhere they want, so it's a toss-up between whether the
packets can be coaxed and nudged into going through tapped routes, or whether
there are taps on all the routes being used anyway. Same thing or not
depending on how you look at it (and the situation).

In some cases the VPNs probably only log to help prove themselves innocent
when required, and likely just drop the data without processing it. Some
probably do basic keyword or similar realtime analysis; perhaps the ones that
have been bitten a lot (I have no idea if there are any, common sense would
suggest they would exist).

I would be genuinely surprised if any VPN or VPS providers actually did
slightly-behind-realtime complex/involved/high-CPU data inspection/validation.
There's simply no value-add in doing that behind the scenes except for more
legal paperwork when things are found, and "we perform deep packet inspection
on all your incoming and outgoing traffic!" on a homepage is a definite path
to zero customers!

Obviously all of this is conjecture and hearsay; I thought of much of it as I
went along figuring and typing this out, and I've probably forgotten some
avenues of thinking that could result in different conclusions.

I do still remain reasonably paranoid considering the XKeyScore and PRISM
stuff. Also, don't forget, at the scale I've been talking about here, I would
not at all be surprised if all the private keys for all the CAs your browser
trusts are floating around out there (even if you don't understand this,
please pass it on). This was interesting to watch:
[http://video.fosdem.org/2014/Janson/Sunday/NSA_operation_ORC...](http://video.fosdem.org/2014/Janson/Sunday/NSA_operation_ORCHESTRA_Annual_Status_Report.webm)

