• VPN Security. How secure is really?

    From Ferrous Cranus@1:0/0 to All on Mon Jan 14 16:45:09 2013
    VPN services state:
    Exactly, we provide our customers with a private, secure VPN tunnel, and we do not monitor nor retain logs pertaining to their connectivity, traffic, or activities. It's what keeps us in business. --------------------------------------

    a) If one individual harrases on purpose another one? And for the sake of example lets say:

    I use an anonymous mail service to KEEP sending mails to someone (for some reason) WHILE connected to their VPN.
    That person gets irritated and contacts the anonymous mail service about the annoying mails derived from their service and ask them to investigate further. The latter checks it's logging database and see clear that one of THEIR VPN gateways was used upon connecting to them.
    Then they ask them to detect that customer based on his usage and disclose personal information about him.
    What WILL they do? (please answer sincerely)


    b) Prior of their TAP driver execution, REAL ip address exist.
    How can we know for sure that they DO NOT ASSOCIATE ( ISP_ip_address <=> VPN_ip_address ) at the very moment we connect to their VPN service?

    Also, as for the randonly_assigned_username, which cannot be modified, isn't that "username" what uniquely identifies each and every customer of theirs?


    p.s. I need some sincere answers to decide if i'am to be a regular customer. Please be sincere.

    Thanks in advance.

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From unruh@1:0/0 to All on Mon Jan 14 18:42:47 2013
    On 2013-01-14, Ferrous Cranus <nikos.gr33k@gmail.com> wrote:
    VPN services state:
    Exactly, we provide our customers with a private, secure VPN tunnel, and we
    do not monitor nor retain logs pertaining to their connectivity, traffic, or activities. It's what keeps us in business.
    --------------------------------------

    a) If one individual harrases on purpose another one? And for the sake of
    example lets say:

    I use an anonymous mail service to KEEP sending mails to someone (for some
    reason) WHILE connected to their VPN.
    That person gets irritated and contacts the anonymous mail service about the
    annoying mails derived from their service and ask them to investigate further.
    The latter checks it's logging database and see clear that one of THEIR VPN
    gateways was used upon connecting to them.
    Then they ask them to detect that customer based on his usage and disclose
    personal information about him.
    What WILL they do? (please answer sincerely)

    The various US laws may well force them to keep some data for
    investigatory purposes. They will not have a choice.



    b) Prior of their TAP driver execution, REAL ip address exist.
    How can we know for sure that they DO NOT ASSOCIATE ( ISP_ip_address <=>
    VPN_ip_address ) at the very moment we connect to their VPN service?

    Of course they do, otherwise they could not send packets from one to the
    other.


    Also, as for the randonly_assigned_username, which cannot be modified, isn't
    that "username" what uniquely identifies each and every customer of theirs?

    They may have lots of other information. (Note it is the uid, not the
    username that identifies as far as the system is concerned)



    p.s. I need some sincere answers to decide if i'am to be a regular customer.
    Please be sincere.

    Thanks in advance.

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From Lusotec@110:300/1.1 to All on Mon Jan 14 19:39:23 2013
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    Ferrous Cranus wrote:
    VPN services state:
    Exactly, we provide our customers with a private, secure VPN tunnel, and
    we do not monitor nor retain logs pertaining to their connectivity,
    traffic, or activities. It's what keeps us in business.

    Even if your VPN provider does not keep logs, someone just has to seat and wait for you to connect to the VPN provider again. And who that someone may be? Someone with a warrant and/or gun and/or hacking tools that knock at the door/network of your VPN provider.

    --------------------------------------

    a) If one individual harrases on purpose another one? And for the sake of example lets say:

    I use an anonymous mail service to KEEP sending mails to someone (for some reason) WHILE connected to their VPN. That person gets irritated and
    contacts the anonymous mail service about the annoying mails derived from their service and ask them to investigate further. The latter checks it's logging database and see clear that one of THEIR VPN gateways was used
    upon connecting to them. Then they ask them to detect that customer based
    on his usage and disclose personal information about him. What WILL they
    do? (please answer sincerely)

    Uh, hope that is just an example!!!

    b) Prior of their TAP driver execution, REAL ip address exist.
    How can we know for sure that they DO NOT ASSOCIATE ( ISP_ip_address <=> VPN_ip_address ) at the very moment we connect to their VPN service?

    Also, as for the randonly_assigned_username, which cannot be modified,
    isn't that "username" what uniquely identifies each and every customer of theirs?

    p.s. I need some sincere answers to decide if i'am to be a regular
    customer. Please be sincere.

    Thanks in advance.

    My advice is to *not* blindly trust a VPN provider.

    Regards.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (GNU/Linux)

    iF4EAREIAAYFAlD0UNsACgkQGQjO2ccW76p5IwD+OdHLMmixxrKxC+mIrdblCG/u t6iqaMxw7QUfykv6ufgA/1MGSg2Z9V/sS3uTmHAjgkQzjcGhXsaSNN2UQNaDFIk7
    =H+Aa
    -----END PGP SIGNATURE-----


    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: A noiseless patient Spider (110:300/1.1@linuxnet)
  • From Ferrous Cranus@1:0/0 to All on Mon Jan 14 21:02:18 2013
    =CE=A4=CE=B7 =CE=94=CE=B5=CF=85=CF=84=CE=AD=CF=81=CE=B1, 14 =CE=99=CE=B1=CE= =BD=CE=BF=CF=85=CE=B1=CF=81=CE=AF=CE=BF=CF=85 2013 7:42:47 =CE=BC.=CE=BC. U= TC+2, =CE=BF =CF=87=CF=81=CE=AE=CF=83=CF=84=CE=B7=CF=82 unruh =CE=AD=CE=B3= =CF=81=CE=B1=CF=88=CE=B5:

    The various US laws may well force them to keep some data for
    =20
    investigatory purposes. They will not have a choice.=20

    So, they are ALL lying about how secure and private their customers really = are?


    How can we know for sure that they DO NOT ASSOCIATE ( ISP_ip_address <=
    VPN_ip_address ) at the very moment we connect to their VPN service?
    Of course they do, otherwise they could not send packets from one to the =
    other.=20

    Then, we can only HOPE that they do not perform logging. But if they are fo= rced by the law then THEY ARE.=20
    =20

    They may have lots of other information. (Note it is the uid, not the username that identifies as far as the system is concerned)

    and 'uid' being ? What are they using it for? To distingush customares?


    Do you guys use VPN Services for security and anonymity?
    Is there any VPN available that doesn't do logging?

    And IF they are log-less, HOW hackers get cought then? :-)


    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From unruh@1:0/0 to All on Mon Jan 14 21:10:45 2013
    On 2013-01-14, Ferrous Cranus <nikos.gr33k@gmail.com> wrote:
    ???? ??????????????, 14 ???????????????????? 2013 7:42:47 ??.??. UTC+2, ??
    ?????????????? unruh ????????????:

    The various US laws may well force them to keep some data for

    investigatory purposes. They will not have a choice.

    So, they are ALL lying about how secure and private their customers really
    are?


    How can we know for sure that they DO NOT ASSOCIATE ( ISP_ip_address <=> VPN_ip_address ) at the very moment we connect to their VPN service?
    Of course they do, otherwise they could not send packets from one to the other.

    Then, we can only HOPE that they do not perform logging. But if they are
    forced by the law then THEY ARE.


    They may have lots of other information. (Note it is the uid, not the
    username that identifies as far as the system is concerned)

    and 'uid' being ? What are they using it for? To distingush customares?

    On a Unix system, the uid is the unique user id number. a uid can have
    various names associated with it (it does not usually, but it can).



    Do you guys use VPN Services for security and anonymity?
    Is there any VPN available that doesn't do logging?

    The law is such that all US providers can be forced to do logging, and additionally are legally ( with penalties of many years in jail)
    required not to tell the person being logged. Non Us providers are not
    (well, the US seems to feel that its laws apply worldwide, so if they
    really want to they can arrest that provider if they ever come to the
    US, or, in really severe circumstances, they can send out teams to
    capture or otherwise deal with people even if they are in foreign
    countries, but that tends to be rare) required to follow those laws (
    although they may have equivalent laws in their own countries).



    And IF they are log-less, HOW hackers get cought then? :-)


    Usually stupidity. Rarely do sophisticated means become necessary. As
    always, the crook just needs to make one mistake, the people looking for
    them can make and correct many mistakes.


    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From Ferrous Cranus@1:0/0 to All on Tue Jan 15 07:58:26 2013
    Understood! Thanks!

    Now to the technical part:

    [ local_ip:local_port <=> external_ip:external:port ] <=> ISP_gateway:port <=> VPN_server:port

    What part of the above is being encrypted?

    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Kofo BBS MBSE - telnet://fido1.kofobbs.ne
  • From Lew Pitcher@110:300/1.1 to All on Wed Jan 23 16:06:41 2013
    Reply-To: lew.pitcher@digitalfreehold.ca

    Ferrous Cranus wrote:

    Understood! Thanks!

    Now to the technical part:

    [ local_ip:local_port <=> external_ip:external:port ] <=>
    [ ISP_gateway:port <=> VPN_server:port

    What part of the above is being encrypted?

    Potentially, all of it. Possibly, none of it.

    Assuming that this diagram represents the "provider" end of a commercial enterprise that uses VPN, then even the path from "local" to "VPN" may be encrypted, possibly by a pair of commercial, hardwired encryption devices,
    one at each end.

    But, then again, you might have that diagram wrong, for commercial enterprises. It probably should be drawn as:
    local_ip: <=> VPN_server: <=> external_ip: <=> ISP_gateway:
    That's the way I've seen it done in high-security commercial enterprises
    (like banks).

    OTOH, assuming that your diagram represents the "provider" end of an
    *amateur* setup, then the path from local to VPN may not even have minimal encryption.

    The part that's most likely to be encrypted is the part that you /didn't/ draw: the VPN_server:port <=> VPN_client:port, which is the "public" part of the process, living in the Internet "cloud". But, in a poorly set up VPN,
    even /that/ part might not be encrypted, or may be protected with minimal, breakable encryption.

    HTH
    --
    Lew Pitcher


    --- MBSE BBS v0.95.13 (GNU/Linux-x86_64)
    * Origin: The Pitcher Digital Freehold (110:300/1.1@linuxnet)