Insights For Success

Strategy, Innovation, Leadership and Security

Honest review of the Tunnelbear VPN service

GeneralEdward KiledjianComment

Similar Articles:

Start

I've written about half a dozen articles over the last couple of weeks reviewing various VPN services. I asked my social media followers what other VPN services they wanted me to review, and many readers requested that I review TunnelBear. So here is my review of the TunnelBear VPN service.

TL;DR - TunnelBear is an excellent service that won't disappoint.

First, it meets the multi platform requirement. It supports MacOS, Windows, IOS and Android (with browser extensions for Opera and Google Chrome). These are the most requested platforms by users and will meet the needs of 95% of their user base. If you are a tinker and want an OpenVPN configuration file or router support, you will be sorely disappointed (see VyprVPN in that case). They have talked about a very manual configuration option for Linux using OpenVPN, but this isn't for the faint of heart.

TunnelBear has about 19 servers worldwide. This is in strong contract to companies like HideMyAss that offer 190+ locations with 720+ servers.  Countries listed during my test included: United States, United Kingdom, Canada, Germany, Japan, France, Italy, Netherlands, Sweden, Switzerland, Ireland, Spain, Singapore, Norway, Denmark, Hong Kong, Brazil, Mexico, India.

One issue I have with many services is that there is no "auto-connect to the fastest server" option, but TunnelBear has this option. When compared to VyprVPN, UnlimitedVPN (Keepsolid) or HideMyAss, TunnelBear's performance was always a little bit slower. Youtube was always using a lower quality, and downloading files always took a bit longer. 

Many VPN services just provide a plain; we do not collect logs statement. As a more technical user, I expect a little more "meat" with a statement like that. You can read the TunnelBear privacy policy here.  

I appreciate the honesty and clear privacy terms provided by TunnelBear:

By using our services, you authorize TunnelBear to use your information according to Canada’s laws, regardless of which country you are located in
TunnelBear explicitly does NOT collect, store or log the following data:

- IP addresses visiting our website
- IP addresses upon service connection
- DNS Queries while connected
- Any information about the applications, services or websites our users use while connected to our Service

Canada is a member of the five eyes and as a Canadian, I believe my information is collected and shared with the other members of the spying consortium. My preference is to use a VPN service who is headquartered in Switzerland (or another privacy loving locale). 

TunnelBear also offers a free tier (500MB per month) to anyone who wants to test their service or has very limited needs. Free VPN service is a rare offering from a reputable company, and one TunnelBear should be very proud of. 

You can earn one free GB of additional traffic by tweeting about TunnelBear using an in app feature. I tried this twice, and they added 1GB each time within 10 minutes.

I tested Netflix USA with the TunnelBear VPN turned on and Netflix detected the connection as a VPN and refused to show the US catalogue. 

Pricing

The annual TunnelBear subscription is $4.99 a month which is competitive. If you shop around (check out the link in my KeepSolid UnlimitedVPN review) you can get a similar VPN service at $49.99 for an unlimited lifetime subscription. 

Conclusion

TunnelBear offers an easy to use VPN service or the average Joe. It doesn't offer a tonne of client support. It is based in a high-risk country (Canada) and the price is average. 

If your look around on deal sites, you can find an UnlimitedVPN lifetime (5 devices) deal for $49.99 which is a better deal. UnlimitedVPN is based in the USA so they suffer the same headquarter location issue (being based in a Five eyes country) as TunnelBear. The difference is you get a tonne more exit servers than TunnelBear.

For real security, I would say check out Private Internet Access or ProtonVPN.  

Install IOS Update 10.3.3

GeneralEdward KiledjianComment

As mentioned in my various articles, keeping your operating system and applications updates is a critical component to good overall security. 


Apple released IOS 10.3.3 yesterday, and amongst all of the bugs it fixes, there is one nasty security vulnerability that justifies installing it now. Right now. Do it. I'll wait. Come on, we don't have all day. 

Put Apple's banal sounding description aside for a second ("A memory corruption issue was addressed with improved memory handling".) This vulnerability comes from the Broadcom BCM43xx wifi chipset (CVE-2017-9417) and allows an attacker to execute code on the targeted device with kernel privileges.

To be clear, millions of Android smartphones (e.g. HTC, LG, Nexus and most Samsung devices) are also vulnerable to the BroadPwn vulnerability. 

Google also issued the BroadPwn fix in its July patch bundle (you are receiving the security updates for your phone right?)

Google hopes Hire gives it a better stronghold in corporations

GeneralEdward KiledjianComment

Google sees the corporate world as an excellent cash cow and has been working hard to secure its place. Most recently we have the fruits of its labour with redesigned G-Suite offerings, the Jamboard and more.

Google is the king of data and has decided it can help HR do a better job with recruitment. Google Hire is a purpose built solution that promises to make the entire hiring process easier and more efficient (from finding to managing). 

The target customer is the small or medium organisation that may not be using any of the larger more expensive and complicated tools. 

  • A 2015 report by Bersin (Deloitte) claimed it took on average 52 days to fill a position (up from 48 in 2011) at the cost of $4,000
  • 48% of small businesses report there are few or no qualified applicants for the positions they are trying to fill (NFIB)
  • 27% of respondends believe lengthy hiring timelines are a major impedament to increasing staff headcount (Recruiter Sentiment Study 2015 2nd Half, MRI Network, December 2015)

So all in all, we can safely assume the hiring process is broken in small to medium size companies, which may equate to a nice chunk of change for Google (if it plays its cards right).

Google Hire leverages the G-Suite platform and integrates with email and calendaring. In addition to winning new business by offering innovative cost effective new solutions for the SMB market, it also adds value to G-Suite. 

It is conceivable that a long time Microsoft Office customer may eventually switch to Google's G-Suite if it has enough value added features. 

I have spoken to dozens of medium size start-ups that just don't want or need the big Office 365 offering and are just looking for an excuse to make the jump. It is small but targeted offerings like this that may make the difference.

You can check out the Google Hire website for more details.

Get thousands of dollars of Microsoft ebooks for free

GeneralEdward KiledjianComment


It's Christmas in July for any tech enthusiast that loves getting "something for nothing". The books are presented in a straight text list (without pictures) and organised by category and file format.

There are no limits, conditions or restrictions. You can download one, or you can download them all.

The books will interest hardcore IT administrators or casual Windows users looking to sharpen their skills. You can click on this link to see the massive list.

Some General computing topics include:

  • An employee’s guide to healthy computing
  • 10 essential tips and tools for mobile working
  • How To Recover That Un-Saved Office Document

There are books on Azure. Books for developers. Books on Sharepoint, Dynamics CRM, Powershell, SQL Server and more.

Don't miss this opportunity. Download them now.

 

Review of HideMyAss VPN (HMA)

GeneralEdward KiledjianComment

After writing my first VPN service review a couple of weeks ago, I asked my readers "what other VPN services" I should evaluate. A much-requested one was HideMyAss (HMA), so here is that review.

You can't evaluate VPN service providers without seeing HideMyAss.  They have ads everywhere. My first experience with HMA was through a 1-month free offer provided by Anonabox

Most security blogs and posts on review sites give HideMyAss a poor rating because they have (allegedly) turned over user log information to authorities (without putting up a fight).  Others complain that the service is "feature light".

HideMyAss has a massive network of termination points (one of the biggest in the world). 

HideMyAss cost

HideMyAss has increased its prices over the years and has a single tier plan (aka you don't pay for usage volume or number of connected devices).

Your commitment term determines your monthly price. At $6.99 for 12-months, they are competing with the likes of VyprVPN and ProtonVPN. HideMyAss is almost double the price of Internet Private Access (IPA), which is regarded as one of the best from a privacy-guarding perspective. Another much more popular cheaper alternative is UnlimitedVPN.

Once a season, HideMyAss does run a 50% off promo so....

HideMyAss features

The first major feature is the sheer size of its VPN network. HideMyAss offers 720+ VPN servers in 320+ locations in 190+ countries.

Now we get to the less feature part of our program. HideMyAss VPN support's two simultaneous connections per subscriber. ProtonVPN supports 2 with it's $4 a month basic plan. VyprVPN supports five simultaneous connections with its $6.67 a month plan. VPN Unlimited is offering a $49.99 lifetime plan with five simultaneous connection support. 

HideMyAss supports OpenVPN, PPTP and L2TP. 

People who buy HideMyAss aren't power users but people who are looking for a "simple" VPN solution with an extensive termination network. They support terminations in locations like Servia and Malawi.

Is HideMyAss Secure and Private?

So many security forums and Reddit threads discuss how HideMyAss (allegedly) turns over user data to police with little pushback. The most prominent example of this accusation is a 2011 situation where it is believed HMA turned over user information for Cody Kretsinger. Cody Kretsinger was a member of LulzSec and arrested by police for hacking Sony Pictures (he was convicted of the crime). 

There are dozens of other such claims, just do a quick Google search.

Reading the End User License Agreement, you learn that HideMyAss (Privax) is a UK company and is now owned by Avast (a Czech company). The UK is not known as a haven for privacy (e.g. snoopers charter). Most UK providers must maintain rich metadata logs.

The HideMyAss privacy statement for their VPN service says "We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service. We collect aggregated statistical (non-personal) data about the usage of our mobile apps and software." HMA claims this information is kept for 2 to 3 months but the UK Investigatory Powers Act requires that this type of information be kept for 12 months.

Does HideMyAss allow Peer2Peer networking? The answer is Yes for legal content and no for illegal ones. Here is an example of a Reddit thread where a user claims HMA cut-off his service for downloading copyrighted content. In this thread, a user called neonovo says "Yes, two dmca notices from the vpn hide my ass, which as they did not hide my ass I did some much-needed research and found btguard.

I do not condone downloading copyrighted material or breaking any laws but knowing your VPN will (allegedly) roll over quickly is not comforting.

If you want to download torrent based content (legal of course), you should check out the list of torrent friendly providers maintained by TorrentFreak

Is HideMyAss secure?

I emailed HideMyAss support asking for details about its encryption technologies and directed to this support write-up. This write-up does not answer any of my questions about what cyphers are used and how. I believe some of their protocols (like L2TP) use pre-shared keys (which is a bad thing).

Without any additional information, I have to assume the worst and say "I don't consider HideMyAss secure at this point". My starting position is to assume technology is insecure unless proven otherwise.

I could not find DNS leak protection as an option in the Windows client, but my tests showed that it did not leak DNS information. 

HideMyAss performance

Assuming everything above didn't scare you away, you may be wondering about performance. Anytime I perform a VPN test; it is done using a 100MB fibre connection (<10ms ping) with a cleanly installed and patched Windows 10 computer connected directly to the internet connection. 

Some HideMyAss connections had excellent performance, and other's cut my throughput by more than 50%. Through trial and error, you will be able to find the servers that work best for you, but there is no automated performance cataloguing function. 

One item I will add here is the ability to get US Netflix. I  test this with every VPN and Netflix never works, except this time it did with one of the US servers I tested. Since it did not work consistently, I am assuming there were a couple of IP addresses Netflix hadn't catalogued as VPN yet. 

Conclusion

I don't use VPN to hide illegal activities. I use VPN to protect my privacy when I am using untrusted networks or from my ISP [read Your ISP is tracking you]. With everything that I learned during this review, I can't recommend HideMyAss. There are so many better options (in my opinion) that you shouldn't settle for a company that doesn't go the extra mile.