Mailing List Archive

On 6/8/22 20:42, Michael wrote:
> On Saturday, 6 August 2022 12:08:30 BST Dale wrote:
> ...

> The more you try to escape the 14 eyes Big Brother, the closer you may fall
> into the hands of various authoritarian regimes. LOL! Even VPNs like NordVPN
> which operates within the jurisdiction of Panama (let's not forget it is
> Langley's doorstep), it also has offices in the UK, Netherlands and Lithuania.
> I wonder why . . .
>
> Total privacy on the Internet is improbable. If your only concern is to
> retain your privacy from your ISP with regards to your Internet connections,
> then most/any VPN service will offer this benefit by obfuscating your IP
> address. Your browsing patterns, browser User Agent, addons and umpteen other
> OS and application fingerprints won't be obfuscated beyond the VPN server.
> Therefore your identity can only be protected so much and no more.
>
Also, leakage is almost inevitable ... DNS, content distribution
networks, browser fingerprinting, timezones, paying online with a US
credit card, US delivery address and just simple mis-configuration
exposing you to risk etc.  My impression as a long time openvpn user is
that TOR and the TOR browser might be the closest to secure for your
purposes? Also, keep in mind that things like online shopping will cost
you more overseas because if you are successful in hiding you are in the
US you will get the international surcharges, or in some cases ordering
IT stuff from the US you have to fill out export clearances (once even
for sparkfun hobby stuff!) :) ... then if you pay with a US card and/or
have a US delivery address they have got you anyway - in fact being in
Oz I gave it up as being no gain, too much pain to use a VPN try and get
cheaper US shopping. I found myself having to maintain two totally
independent systems with one in a locked down VPN with US settings with
all traffic actively blocked from the local network, and use US shipping
and packaging firms that offered facilities to buy on my behalf.  That
is much harder than you think - trusting the end points is only one
small part of the problem you are trying to solve and from the Gov
monitoring point of view almost certainly a waste of time anyway as they
have massive resources. The best you can hope for with openvpn is SSL
point to point level security.  Just use HTTPS, a good browser and be
part of the crowd - if you are trawling suspect/socially compromising
websites you do not want anyone to see you going to, no matter what you
do there will always be a risk and as a VPN user you are a more likely
target for a closer look anyway.  I am sure the bigger online VPN
providers would be monitored closely - at least TOR is likely to help
more than a plain VPN.

BillK

On Sunday, 7 August 2022 07:06:55 BST William Kenworthy wrote:
> On 6/8/22 20:42, Michael wrote:
> > On Saturday, 6 August 2022 12:08:30 BST Dale wrote:
> > ...
> >
> > The more you try to escape the 14 eyes Big Brother, the closer you may
> > fall
> > into the hands of various authoritarian regimes. LOL! Even VPNs like
> > NordVPN which operates within the jurisdiction of Panama (let's not
> > forget it is Langley's doorstep), it also has offices in the UK,
> > Netherlands and Lithuania. I wonder why . . .
> >
> > Total privacy on the Internet is improbable. If your only concern is to
> > retain your privacy from your ISP with regards to your Internet
> > connections, then most/any VPN service will offer this benefit by
> > obfuscating your IP address. Your browsing patterns, browser User Agent,
> > addons and umpteen other OS and application fingerprints won't be
> > obfuscated beyond the VPN server. Therefore your identity can only be
> > protected so much and no more.
> Also, leakage is almost inevitable ... DNS, content distribution
> networks, browser fingerprinting, timezones, paying online with a US
> credit card, US delivery address and just simple mis-configuration
> exposing you to risk etc. My impression as a long time openvpn user is
> that TOR and the TOR browser might be the closest to secure for your
> purposes? Also, keep in mind that things like online shopping will cost
> you more overseas because if you are successful in hiding you are in the
> US you will get the international surcharges, or in some cases ordering
> IT stuff from the US you have to fill out export clearances (once even
> for sparkfun hobby stuff!) :) ... then if you pay with a US card and/or
> have a US delivery address they have got you anyway - in fact being in
> Oz I gave it up as being no gain, too much pain to use a VPN try and get
> cheaper US shopping. I found myself having to maintain two totally
> independent systems with one in a locked down VPN with US settings with
> all traffic actively blocked from the local network, and use US shipping
> and packaging firms that offered facilities to buy on my behalf. That
> is much harder than you think - trusting the end points is only one
> small part of the problem you are trying to solve and from the Gov
> monitoring point of view almost certainly a waste of time anyway as they
> have massive resources. The best you can hope for with openvpn is SSL
> point to point level security. Just use HTTPS, a good browser and be
> part of the crowd - if you are trawling suspect/socially compromising
> websites you do not want anyone to see you going to, no matter what you
> do there will always be a risk and as a VPN user you are a more likely
> target for a closer look anyway. I am sure the bigger online VPN
> providers would be monitored closely - at least TOR is likely to help
> more than a plain VPN.
>
> BillK

TBH I don't think even TOR is to be trusted 100%. There must be 100s if not
1000s of honeypot TOR servers set up with the purpose of harvesting comms and
associating entry and exit patterns as part of regular internet surveillance
work.

The best a well configured VPN tunnel can offer is a secure connection between
client and VPN server, which is handy if you are out and about using untrusted
and insecure WiFi hotspots. In such a case, having configured your home/office
router as a VPN server for free will allow you to use your client device as a
roadwarrior, which should be just as effective as using some remote VPN
service.

The only other reason for using a VPN service is to present a different
geolocation for the purpose of overcoming country-specific website
restrictions. In this case a VPN service works effectively as a proxy server
in changing your IP address.

On Sun, Aug 7, 2022 at 11:36 AM Michael <confabulate@kintzios.com> wrote:
>
> The best a well configured VPN tunnel can offer is a secure connection between
> client and VPN server, which is handy if you are out and about using untrusted
> and insecure WiFi hotspots.
>
> The only other reason for using a VPN service is to present a different
> geolocation for the purpose of overcoming country-specific website
> restrictions.

I think ONLY is a bit strong here. A VPN effectively makes it
impossible for your ISP to know who you're talking to, and it obscures
your IP from hosts you are connecting to.

Sure, there are ways to defeat this, but most of them are only
applicable for state-level actors, and the methods available to
ordinary companies can only identify at best a unique browser profile,
which only lets them correlate traffic with those they share info with
to the degree that you use a single browser profile across those
platforms. For non-web traffic there are generally fewer attacks
available. Many of the attacks that are often cited like DNS-based
attacks are not that difficult to prevent (eg by ensuring your DNS
traffic goes out over the VPN).

If there are sites you browse using a different browser profile
(ideally on a VM/etc), and you never use that browser profile for
ecommerce or activity associated with your normal social media
accounts, then it is unlikely that those sites will actually be able
to identify you.

Really the biggest pain with the VPNs is the number of websites that
actively try to block connections from them or flood you with
CAPTCHAs. Many more mainstream social media sites/etc also
effectively require association with a mobile phone number, or trigger
this behavior if they don't like your IP address. Obviously VPNs can
be abused to attack hosts or evade bans and generally cause trouble,
which is a frustration for those who simply don't want companies to
know who you are.

Bottom line is that just because the NSA can track your connections
doesn't mean that every random webserver on the planet can do so. The
few government agencies that are likely to be that well-connected are
also very interested in keeping the extent of their capabilities
hidden from each other, and so when they intercept your data they're
going to guard it even more carefully than you would. A solution
doesn't need to be able to defeat the NSA to be useful.

--
Rich

On Sunday, 7 August 2022 19:27:42 BST Rich Freeman wrote:
> On Sun, Aug 7, 2022 at 11:36 AM Michael <confabulate@kintzios.com> wrote:
> > The best a well configured VPN tunnel can offer is a secure connection
> > between client and VPN server, which is handy if you are out and about
> > using untrusted and insecure WiFi hotspots.
> >
> > The only other reason for using a VPN service is to present a different
> > geolocation for the purpose of overcoming country-specific website
> > restrictions.
>
> I think ONLY is a bit strong here. A VPN effectively makes it
> impossible for your ISP to know who you're talking to, and it obscures
> your IP from hosts you are connecting to.

Yes, fair point. I was thinking why would you go to such an effort just to
obscure your comms from your ISP. I'm not saying there aren't use cases
supporting this endeavor. I was thinking more about political activists
operating under oppressive regimes where state-level surveillance would be the
threat model. In this case I would think state actors wouldn't rely on ISPs
alone to share such information, although ISP's data would be tapped into for
good measure.


> Sure, there are ways to defeat this, but most of them are only
> applicable for state-level actors, and the methods available to
> ordinary companies can only identify at best a unique browser profile,
> which only lets them correlate traffic with those they share info with
> to the degree that you use a single browser profile across those
> platforms. For non-web traffic there are generally fewer attacks
> available. Many of the attacks that are often cited like DNS-based
> attacks are not that difficult to prevent (eg by ensuring your DNS
> traffic goes out over the VPN).

Yes, careful VPN implementations would guard against DNS leaks and the like.


> If there are sites you browse using a different browser profile
> (ideally on a VM/etc), and you never use that browser profile for
> ecommerce or activity associated with your normal social media
> accounts, then it is unlikely that those sites will actually be able
> to identify you.
>
> Really the biggest pain with the VPNs is the number of websites that
> actively try to block connections from them or flood you with
> CAPTCHAs. Many more mainstream social media sites/etc also
> effectively require association with a mobile phone number, or trigger
> this behavior if they don't like your IP address. Obviously VPNs can
> be abused to attack hosts or evade bans and generally cause trouble,
> which is a frustration for those who simply don't want companies to
> know who you are.
>
> Bottom line is that just because the NSA can track your connections
> doesn't mean that every random webserver on the planet can do so. The
> few government agencies that are likely to be that well-connected are
> also very interested in keeping the extent of their capabilities
> hidden from each other, and so when they intercept your data they're
> going to guard it even more carefully than you would.

I would sincerely hope so. Can't vouch their contractors and subcontractors
would do the same in all cases though.


> A solution doesn't need to be able to defeat the NSA to be useful.

ACK. It boils down to use cases and requirements. I suppose people who seek
to avoid state surveillance would probably use multilayered encryption and
steganography, or better stay off the Internet all together? ;-)

>-----Original Message-----
>From: Wol <antlists@youngman.org.uk>
>Sent: Friday, August 5, 2022 4:05 PM
>To: gentoo-user@lists.gentoo.org
>Subject: Re: [gentoo-user] About to have fiber internet and need VPN info
>
>On 05/08/2022 15:53, Laurence Perkins wrote:
>> Oh, and note that if your ISP works the same way as mine, they have a backdoor into whatever equipment they happen to have provided. So definitely put it in bridge mode or whatever and use your own gear if you don't want them spying on the doings of your internal network. One of the local ISPs here even calls it a "feature" and will ping the mobile app they require you to install to use their service every time they detect "suspicious" traffic on your internal net...
>
>What do they do if you don't know how to use a mobile? (Yes that IS a serious question - I provide tech support to family like that :-)
>
>
Their tech will set it up for you when he comes out to hook up the cables. No, it's not been audited for security, so it could be doing anything at all to your phone.

LMP

> -----Original Message-----
> From: Peter Humphrey <peter@prh.myzen.co.uk>
> Sent: Friday, August 5, 2022 4:36 PM
> To: gentoo-user@lists.gentoo.org
> Subject: Re: [gentoo-user] About to have fiber internet and need VPN info
>
> On Saturday, 6 August 2022 00:05:20 BST Wol wrote:
> > On 05/08/2022 15:53, Laurence Perkins wrote:
> > > Oh, and note that if your ISP works the same way as mine, they have
> > > a backdoor into whatever equipment they happen to have provided. So
> > > definitely put it in bridge mode or whatever and use your own gear
> > > if you don't want them spying on the doings of your internal
> > > network. One of the local ISPs here even calls it a "feature" and
> > > will ping the mobile app they require you to install to use their
> > > service every time they detect "suspicious" traffic on your internal net...
> > What do they do if you don't know how to use a mobile? (Yes that IS a
> > serious question - I provide tech support to family like that :-)
>
> ...or if you use your own equipment?
>
> --
> Regards,
> Peter.
>

I would strongly recommend getting your own equipment with most ISPs since the rental price on their equipment will buy a new modem yearly.

Now, that said, the other ISP in the area also has a backdoor, and they try to connect to it any time they're running diagnostics, and if the connection fails then they reset the circuit. So your choice is use one of their sanctioned models and leave the backdoor alone or else have sporadic dropouts.

LMP

>-----Original Message-----
>From: Michael <confabulate@kintzios.com>
>Sent: Saturday, August 6, 2022 1:32 AM
>To: gentoo-user@lists.gentoo.org
>Subject: Re: [gentoo-user] About to have fiber internet and need VPN info
>
>On Saturday, 6 August 2022 07:07:26 BST Dale wrote:
>> Michael wrote:
>> > All connections to banks are encrypted end-to-end for decades now
>> > and the encryption has becoming stronger over the years.
>>
>> That is likely true. I still remember Snowden tho. We don't know
>> what backdoors are in use even for bank encryption.
>
>It's safer to assume state actors have full access to bank information. The hope is bad guys don't get access too! ;-)
>

They have no reason to bother. At least not in the USA. US courts ruled decades ago that as soon as you give information to a third party you lose all expectation of privacy (yes, even if the third party promised privacy in the contract you have with them.)

Phone voice data and U.S. Mail are specifically protected legally, as are privileged communications with a lawyer, priest, or doctor (although that last category is so riddled with exceptions as to barely count). Otherwise, anybody you do any business with at all can be forced to give up any and all records they have about you, no warrant required, and can be ordered not to tell you it's been done.

So government level actors spying on your banking just go to the bank. And they've been getting more nosey in recent years. Last I heard, any transaction over $600 gets automatically reported to them, and they keep talking about lowering that threshold.

LMP

On Monday, 8 August 2022 17:34:40 BST Laurence Perkins wrote:

> They have no reason to bother. At least not in the USA. US courts ruled
> decades ago that as soon as you give information to a third party you lose
> all expectation of privacy (yes, even if the third party promised privacy
> in the contract you have with them.)

> Phone voice data and U.S. Mail are specifically protected legally, as are
> privileged communications with a lawyer, priest, or doctor (although that
> last category is so riddled with exceptions as to barely count).
> Otherwise, anybody you do any business with at all can be forced to give up
> any and all records they have about you, no warrant required, and can be
> ordered not to tell you it's been done.

> So government level actors spying on your banking just go to the bank. And
> they've been getting more nosey in recent years. Last I heard, any
> transaction over $600 gets automatically reported to them, and they keep
> talking about lowering that threshold.

Thank goodness I don't live in the good ol' US of A. The land of the free?
Hm...

--
Regards,
Peter.

On Monday, 8 August 2022 17:25:08 BST Laurence Perkins wrote:

> I would strongly recommend getting your own equipment with most ISPs since
> the rental price on their equipment will buy a new modem yearly.
>
> Now, that said, the other ISP in the area also has a backdoor, and they try
> to connect to it any time they're running diagnostics, and if the
> connection fails then they reset the circuit. So your choice is use one of
> their sanctioned models and leave the backdoor alone or else have sporadic
> dropouts.

Life isn't like that in the UK - at least, I hope not. I'm not aware of any
such behaviour by my ISP.

--
Regards,
Peter.

On Tue, 09 Aug 2022 00:07:38 +0100, Peter Humphrey wrote:

> > Now, that said, the other ISP in the area also has a backdoor, and
> > they try to connect to it any time they're running diagnostics, and
> > if the connection fails then they reset the circuit. So your choice
> > is use one of their sanctioned models and leave the backdoor alone or
> > else have sporadic dropouts.
>
> Life isn't like that in the UK - at least, I hope not. I'm not aware of
> any such behaviour by my ISP.

In the UK we get a choice of ISPs, so they have to behave, or at least be
more subtle about their misbehaving.


--
Neil Bothwick

Make like a tree and leave.

On Tue, 09 Aug 2022 00:04:53 +0100, Peter Humphrey wrote:

> > So government level actors spying on your banking just go to the
> > bank. And they've been getting more nosey in recent years. Last I
> > heard, any transaction over $600 gets automatically reported to them,
> > and they keep talking about lowering that threshold.
>
> Thank goodness I don't live in the good ol' US of A. The land of the
> free? Hm...

We still have the protections introduced by the EU. Let's hope the
government aren't about to tear them up... oh, they are.


--
Neil Bothwick

All things in moderation, ESPECIALLY moderation.

On Tuesday, 9 August 2022 00:35:05 BST Neil Bothwick wrote:
> On Tue, 09 Aug 2022 00:04:53 +0100, Peter Humphrey wrote:
> > > So government level actors spying on your banking just go to the
> > > bank. And they've been getting more nosey in recent years. Last I
> > > heard, any transaction over $600 gets automatically reported to them,
> > > and they keep talking about lowering that threshold.
> >
> > Thank goodness I don't live in the good ol' US of A. The land of the
> > free? Hm...
>
> We still have the protections introduced by the EU. Let's hope the
> government aren't about to tear them up... oh, they are.

My understanding is the UK (and EU) are all the same if not worse in this
respect. Law stipulated protections on data privacy mostly apply to private
companies, but do not exclude access to your data by governments. As far as I
recall there's not even a need to seek approval by a judge to do so anymore,
although there will be some rudimentary 'supervision' of operatives by more
senior ... operatives. Ha!

It's probably safer to assume Internet and privacy are effectively quite
orthogonal.

>-----Original Message-----
>From: Peter Humphrey <peter@prh.myzen.co.uk>
>Sent: Monday, August 8, 2022 4:08 PM
>To: gentoo-user@lists.gentoo.org
>Subject: Re: [gentoo-user] About to have fiber internet and need VPN info
>
>On Monday, 8 August 2022 17:25:08 BST Laurence Perkins wrote:
>
>> I would strongly recommend getting your own equipment with most ISPs
>> since the rental price on their equipment will buy a new modem yearly.
>>
>> Now, that said, the other ISP in the area also has a backdoor, and
>> they try to connect to it any time they're running diagnostics, and if
>> the connection fails then they reset the circuit. So your choice is
>> use one of their sanctioned models and leave the backdoor alone or
>> else have sporadic dropouts.
>
>Life isn't like that in the UK - at least, I hope not. I'm not aware of any such behaviour by my ISP.

I've heard a few, similar stories from your side of the pond. So far as I can tell it's a matter of incompetence, not maliciousness. 99% of their customers can barely use a computer, and anything that goes wrong, even locally, will get blamed on whichever service department said customer thinks of first.

Were it me running the show I'd have the backdoor only be active when somebody has pressed the WPS button on the router. That would seem a good compromise between privacy and service. But lots of ISPs have standard methods they developed in the 90s when the Internet was slightly friendlier and they often don't have anyone competent to update their policies on staff.

LMP

>
>>
>> Thank goodness I don't live in the good ol' US of A. The land of the
>> free? Hm...
>
>We still have the protections introduced by the EU. Let's hope the government aren't about to tear them up... oh, they are.

America has been slowly going fascist for coming up on 100 years now. That's what happens when you let your government run your schools and teach most of the children that the government is staffed by saints who only want to keep kids out of the coal mines and prevent businesses from poisoning their customers.

But the incompetent bungling surrounding the whole COVID mess seems to have a lot of people waking up to the fact that the clowns in charge don't even know what parts of the economy actually are "essential", and are more interested in maintaining their own power and status than actually being helpful.

So we'll see what happens as the food and fuel shortages keep rolling in.

LMP

On Tuesday, 9 August 2022 17:06:13 BST Laurence Perkins wrote:

> I've heard a few, similar stories from your side of the pond. So far as I
> can tell it's a matter of incompetence, not maliciousness.

The word you want is 'malice'.

--
Regards,
Peter.