IMHO stock OpenBSD is a better start. Concise and secure. Sending all traffic through a VPN is probably a bad idea, it is better IMO to put /some/ traffic through the VPN that you want separated. Private browse through VPN, preferably in a VM. The "I'm not a robot" thread (https://news.ycombinator.com/item?id=19155643) from a few days ago showed just how much can be gleaned by javascript, that's probably enough to work out if your private browser is on the same computer as the non-private.
It says nothing about who the Dark Intelligence Team is, but this Google cache[0] has a little bit more info:
>We are security enthusiasts from China, Germany, France, Netherlands, Norway, Switzerland, Mexico, India and Russia. Some of us have used *nix systems since 1999.
>Coding && DeCoding && Talks && Beers && Wine && Pizzas && Good Music && Stuff && Hacking.
So at least nine contributors, unless they're counting one person as being from multiple countries.
I suspect the idea is that a VPN will provide encryption for all network traffic by default, preventing others on the local network from packet sniffing.
Is security not an illusion with the current computer architectures? Sometimes it feels like we have to go back to architectures that separate code from data (Harvard) to really be secure.
Nah, you could still e.g. use a use after free to smash the return address or a vtable on a Harvard machine and execute a ROP chain. If it did speculative execution too it would probably be vulnerable to spectre. There's nothing special about Harvard machines when it comes to security.
Imho, to use a metaphor, not much different than the glass windows of a car protecting the car contents. And then of course, some owners just leave the windows down, other 'car windows' have special foils, multilayer, some even have bullet resistent qualities, but give it time and physical access and it's always a car compromised in the end.
Indeed. The NX bit (which differentiates between executable and writable data) roughly approximates Harvard Architecture-like differences between types of memory, and likewise it cannot prevent code reuse attacks.
> WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come.
I agree that WireGuard will be great when it's done. Is there something I'm missing?
Maybe he meant that ProtonVPN has a pretty shady reputation on HN due to their business connections to TesoNet, which is a data mining company. Its a lot more complicated than that, but if you see ProtonVPN being shot down on HN, that's why.
Personally, even if there isn't anything actually shady going on, I would want my VPN provider to be beyond reproach. Any smart VPN provider wouldn't want even tenuous connections to data mining companies.
It feels a bit dirt to recommend Private Internet Access since they were the ones who pointed this out on HN, but so far AFAIK they are the only ones that have have been court-tested. Other options would be TorGuard or Mullvad VPN. Mullvad even already supports WireGuard!
> I just run my own VPN from a $5/month DigitalOcean droplet... I feel like all the public VPNs are like big honeypots I'd rather stay away from.
I guess that depends on your threat vector. I mainly want copyright hounds and data miners (including my ISP) to stay out of my way. For this a public VPN is perfect. Hell, in a weird way, if PIA somehow turned out be a NSA honeypot they would be even better for that purpose since they'd essentially be untouchable by copyright holders.
In general, I guess a personal VPN is more private on a micro level (no VPN provider that can spy on you) but less private on a macro level (any determined actor can trace your DO VPN back to you since you are the only user)
> Does that mean ProtonMail also is no longer trustworthy?
That is, again, for yourself to decide.
Personally I think the Proton company isn't malicious and just really bungled up the launch of ProtonVPN by going at it together with / through TesoNet, and their VPN efforts will forever be tainted by that.
But, that has very little to do with their mail branch, which preceded ProtonVPN and which so far seems a pretty good offering to me if you want your mail to be encrypted-at-rest.
I wouldn't use a VC-backed, for-profit company for anything privacy related. Selling users out behind the scenes to advertisers and TLA's is an easy way to get money. Better to get hosting in a jurisdiction without police-state-style activities, with privacy protections, and/or from a nonprofit or public-benefit organization incentivized to look after users. A for-profit, non-VC company with long history of steady, honest business is also a decent option if you can't find/afford/use safer jurisdictions. Prgmr.com is an example of the last one from what I've observed.
For most VPN companies, you basically have to blindly trust them that they aren't doing anything nefarious. ProtonVPN is different because it's been thoroughly checked and vetted by Mozilla (https://blog.mozilla.org/futurereleases/2018/10/22/testing-n...) and also because there is full transparency regarding who runs the service. You can find the names of the former CERN scientists who created the service, along with their past scientific publications, and things that prove who they are.
AFAIK ProtonVPN’s offering is based on OpenVPN and I just don’t see the benefit of using that protocol when a more modern alternative is available (i.e. Wireguard). The fact that ProtonVPN is located in Switzerland is not a selling point that matters to me, YMMV.
The code isn't public yet. I imagine that if you want to get involved at this stage you'd need to contact them directly. Their email address and public-key are available here: https://www.secbsd.org/dark-intelligence-team.html
I am getting a lot of mental "red flags" over this one. its a bunch of distros of things, some of which are pentest, some of which are less clear to me, it has confusing statements about VPN. Kali is understood. It has a sense of purpose, a community, quite strong public statements of intent and purpose.
This one. I mean sure, that lock-pick you bought from a guy in the pub, he said it was only for testing padlocks, but now you see other people testing doors along the hall and you're wondering what you just walked into...