Insights For Success

Strategy, Innovation, Leadership and Security

Anonymous

The New York Times now available on TOR

GeneralEdward KiledjianComment
NYTimes_TOR1.png
I do not agree with what you have to say, but I’ll defend to the death your right to say it.
— Voltaire

When the average consumer thinks about TOR (which isn't very often), they imagine that it is the ugly, damp & rancid underbelly of the internet. 

Reality is that TOR is a US government-funded project to create anonymity on the internet. It is a platform that allows everyone to have a voice without fear of punishment or even death (think political activists).

No technology is perfect, but TOR is a very powerful tool for human rights activists and other dissidents. 

In a 2015 The Intercept article, Edward Snowden goes as far as saying "I think Tor is the most important privacy-enhancing technology project being used today. " & " What Tor does is it provides a measure of security and allows you to disassociate your physical location."

Proof that TOR isn't just for drugs and counterfeit goods is the fact many reputable organizations have started to create their own TOR presence. 

The New York times launched it's TOR Onion Service website (in late October) as a secure way of making its content available to people around the world that may otherwise not have access to its content (China, Iran, etc.)

When companies moved to the web 15-20 years ago, sites were less reliable as companies tried to figure out how this "web thing" worked. TOR is the same today. Sites Like the New York Times are still trying to figure out how to efficiently use TOR, and therefore you should assume these sites are all in beta status. 

The New York Times reports on stories all over the world, and our reporting is read by people around the world. Some readers choose to use Tor to access our journalism because they’re technically blocked from accessing our website; or because they worry about local network monitoring; or because they care about online privacy; or simply because that is the method that they prefer.
— The New York Times

You can access The New York Times TOR ONION Service site here : https://www.nytimes3xbfgragh.onion/ [remember this doesn't work via the "normal web". 

Review of HideMyAss VPN (HMA)

GeneralEdward KiledjianComment

After writing my first VPN service review a couple of weeks ago, I asked my readers "what other VPN services" I should evaluate. A much-requested one was HideMyAss (HMA), so here is that review.

You can't evaluate VPN service providers without seeing HideMyAss.  They have ads everywhere. My first experience with HMA was through a 1-month free offer provided by Anonabox

Most security blogs and posts on review sites give HideMyAss a poor rating because they have (allegedly) turned over user log information to authorities (without putting up a fight).  Others complain that the service is "feature light".

HideMyAss has a massive network of termination points (one of the biggest in the world). 

HideMyAss cost

HideMyAss has increased its prices over the years and has a single tier plan (aka you don't pay for usage volume or number of connected devices).

Your commitment term determines your monthly price. At $6.99 for 12-months, they are competing with the likes of VyprVPN and ProtonVPN. HideMyAss is almost double the price of Internet Private Access (IPA), which is regarded as one of the best from a privacy-guarding perspective. Another much more popular cheaper alternative is UnlimitedVPN.

Once a season, HideMyAss does run a 50% off promo so....

HideMyAss features

The first major feature is the sheer size of its VPN network. HideMyAss offers 720+ VPN servers in 320+ locations in 190+ countries.

Now we get to the less feature part of our program. HideMyAss VPN support's two simultaneous connections per subscriber. ProtonVPN supports 2 with it's $4 a month basic plan. VyprVPN supports five simultaneous connections with its $6.67 a month plan. VPN Unlimited is offering a $49.99 lifetime plan with five simultaneous connection support. 

HideMyAss supports OpenVPN, PPTP and L2TP. 

People who buy HideMyAss aren't power users but people who are looking for a "simple" VPN solution with an extensive termination network. They support terminations in locations like Servia and Malawi.

Is HideMyAss Secure and Private?

So many security forums and Reddit threads discuss how HideMyAss (allegedly) turns over user data to police with little pushback. The most prominent example of this accusation is a 2011 situation where it is believed HMA turned over user information for Cody Kretsinger. Cody Kretsinger was a member of LulzSec and arrested by police for hacking Sony Pictures (he was convicted of the crime). 

There are dozens of other such claims, just do a quick Google search.

Reading the End User License Agreement, you learn that HideMyAss (Privax) is a UK company and is now owned by Avast (a Czech company). The UK is not known as a haven for privacy (e.g. snoopers charter). Most UK providers must maintain rich metadata logs.

The HideMyAss privacy statement for their VPN service says "We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service. We collect aggregated statistical (non-personal) data about the usage of our mobile apps and software." HMA claims this information is kept for 2 to 3 months but the UK Investigatory Powers Act requires that this type of information be kept for 12 months.

Does HideMyAss allow Peer2Peer networking? The answer is Yes for legal content and no for illegal ones. Here is an example of a Reddit thread where a user claims HMA cut-off his service for downloading copyrighted content. In this thread, a user called neonovo says "Yes, two dmca notices from the vpn hide my ass, which as they did not hide my ass I did some much-needed research and found btguard.

I do not condone downloading copyrighted material or breaking any laws but knowing your VPN will (allegedly) roll over quickly is not comforting.

If you want to download torrent based content (legal of course), you should check out the list of torrent friendly providers maintained by TorrentFreak

Is HideMyAss secure?

I emailed HideMyAss support asking for details about its encryption technologies and directed to this support write-up. This write-up does not answer any of my questions about what cyphers are used and how. I believe some of their protocols (like L2TP) use pre-shared keys (which is a bad thing).

Without any additional information, I have to assume the worst and say "I don't consider HideMyAss secure at this point". My starting position is to assume technology is insecure unless proven otherwise.

I could not find DNS leak protection as an option in the Windows client, but my tests showed that it did not leak DNS information. 

HideMyAss performance

Assuming everything above didn't scare you away, you may be wondering about performance. Anytime I perform a VPN test; it is done using a 100MB fibre connection (<10ms ping) with a cleanly installed and patched Windows 10 computer connected directly to the internet connection. 

Some HideMyAss connections had excellent performance, and other's cut my throughput by more than 50%. Through trial and error, you will be able to find the servers that work best for you, but there is no automated performance cataloguing function. 

One item I will add here is the ability to get US Netflix. I  test this with every VPN and Netflix never works, except this time it did with one of the US servers I tested. Since it did not work consistently, I am assuming there were a couple of IP addresses Netflix hadn't catalogued as VPN yet. 

Conclusion

I don't use VPN to hide illegal activities. I use VPN to protect my privacy when I am using untrusted networks or from my ISP [read Your ISP is tracking you]. With everything that I learned during this review, I can't recommend HideMyAss. There are so many better options (in my opinion) that you shouldn't settle for a company that doesn't go the extra mile. 

Review of Private Internet Access (PIA)

GeneralEdward KiledjianComment

The question I receive the most is "what VPN service should I use when I travel?".  I started writing and testing the most popular ones and so far you can read these ones:

The next most requested service is Private Internet Access (referred to online as PIA). 

Introduction

Private Internet Access (PIA) is one of the most popular and affordable VPN service providers around. At last count, PIA offers 3,193 servers hosted in 24 countries. PIA belongs to an organisation called  London Trust Media, Inc. 

The tech

Private Internet Access is an easy choice for the general consumer because of the wide range of clients it supports: MacOS (10.4 and newer), Windows 7/8/10, Unix/Linux, Ipad/iPhone (PPTP, IPSEC, L2TP), Android (PPTP, IPSEC, L2TP, OpenVPN), DDWRT, Tomato OpenVPN, PfSense OpenVPN.

It not only securely reroutes your traffic but it can also block ads, trackers and malware. It does support P2P traffic and has a strict no log policy. 

Rick Falkvinge, head of privacy at PIA, talking about their no log policy and why it's important.

The client

Their clients are simple and straightforward but offer interesting features like the level of encryptions, DNS leak protection and a kill switch (to stop all traffic if the VPN drops).

It will let you pick a region to exit from but not a particular server. 

PIA allows you to connect up to 5 devices simultaneously. 

The speed

For comparison purposes, I tested PIA against ProtonVPN, ProXPN, UnlimitedVPN and VyprVPN. All terminating in Canada. My connection to the internet was a machine connected straight into my internet router with no other traffic (keeping all the variables controlled). The machine was a freshly imaged version of Windows 10 with all of the latest patches applied and only Google Chrome installed.

My connection is a 100MB down / 10 MB up. Without a VPN I usually get performance slightly better than advertised. With VyprVPN (the fastest), I managed to get close to 95MB down / 9.6 MB up. With PIA, I managed to get 87 MB down / 7 MB up. 

My ping without a VPN was below 12 ms but hit around 25-50 with PIA. 

Netflix?

People want to know if they can access US Netflix via PIA and based on my testing, the answer is: almost never. During my testing, Netflix detected the PIA connection and blocked access. A small number of recent online comments (on various sites) said Netflix worked for them but I was not able to reproduce it.

Support

I had no need for support but read dozens of complaints online about their support. Your mileage may vary. 

Price

The annual price here is a no-brainer: $39.95US a year everything included. This is an incredible deal. VyprVPN comes in at ~$80 a month (paid annually). 

Conclusion

PIA offers a trusted and well respected VPN service for a very competitive price. If you need a layer of protection from your ISP then this is definitely an option you need to consider. Advanced users may find the sparse low granularity interfaces annoying but then again, sometimes you just want things to work without having to tinker. 

Honest review of the ProtonVPN service

GeneralEdward Kiledjian2 Comments

UPDATE 7/5/2017: My connection to the ProtonVPN endpoints using their Windows client is extremely unreliable. At random intervals, the connection just "stops working" and the only way to fix it is to connect to a new location. I have had a support request open for over 1.5 weeks and my issue hasn't been resolved yet. I cannot recommend the ProtonVPN service at this time for the reasons listed below and because my experience has been unstable (and support has been slow to non-existent).

------------------------------------------------------------------

Since the official public launch, I have received dozens of emails (and Twitter DMs) from readers asking me to review ProtonVPN. 

A group of scientists with a track record of building secure products (ProtonMail) designed ProtonVPN from the ground up to be safe and privacy-enhancing.  The promise is that they will bring the same end to end encryption model to the highly uncertain world of VPN.

They talk a lot about the benefits of being headquartered in Switzerland, and many of their statements are accurate. Let's talk about the Five Eyes

Who are the "Five Eyes"?

With the Edward Snowden leaks, we learned about the complex data collection agreements between "friendly" countries. The first significant agreement is called the UKUSA agreement and is an agreement by the United Kingson, United States, Australia, Canada and New Zealand to collect, analyse and share intelligence information with each other.

This group is referred to as the "five eyes" because of their laser-like focus on sucking up incredibly massive amounts of data and sharing it with their "partner" intelligence friends. Some have even accused these countries of using this partnership to circumvent local laws designed to present local intelligence agencies from spying on their people (they get another five eyes Country to do it and report back).

So the Five Eyes countries are:

  1. Australia
  2. Canada
  3. New Zealand
  4. United Kingdom
  5. United States

Not wanting to be left out, other countries soon sought membership in this coveted group, and now we believe the extended group should be called the 14 eyes:

  • Denmark
  • France Netherlands
  • Norway
  • Belgium
  • Germany
  • Italy
  • Spain
  • Sweden

Switzerland is not part of the 14 eyes (or five eyes)

So protonVPN is located in a much more privacy friendly jurisdiction that does not have a formal intelligence gathering and sharing agreement with the rest of the world.

ProtonVPN technology

ProtonVPN uses industry standard OpenVPN with UDP or TCP. It currently has a ProtonVPN branded Windows client.

As I write this, ProtonVPN allows you to use any OpenVPN client with their service which is how you can connect from IOS, Android, MacOS or Linux. We are being promised clients for these platforms, but there is no firm committed to date.

In this day and age, it is unacceptable for a mainstream VPN service to not have its own client on these core platforms. Especially when ProtonVPN is charging premium rates for their services.

Does ProtonVPN slowdown my connection?

I did extensive testing of the ProtonVPN service from various internet connections (home, office, coffee shops and three different cell phone providers). I also used different clients (Windows, MacOS, Android and IOS). 

If you are using (non-secure core) close by exit node with low traffic, the performance hit is usually 5-12%. This is no better or worse than other high-quality VPN providers. When you turn on secure core routeing, you can lose 20-45% of your connection speed because it is sending your traffic through 3 secure data centres plus the exit node. 

What is the Secure Core Technology?

Secure Core is a nice enhancement to traditional VPN technologies that pass your traffic through multiple ProtonVPN owned and managed servers before finally delivering it to the exit node. 

Why Secure Core?

Secure Core was created to add additional protection when your exit node is in a "high risk" jurisdiction. As an example, you may want to exit in the US to gain access to geographically locked content but want to ensure your privacy is protected (knowing that almost all US traffic is captured, analysed and stored).

What does Secure Core protect against?

Leaked documents have shown that governments can deanonymize TOR traffic by controlling a large number of TOR exit nodes. The same can be done using VPN exit nodes. Most providers use local service provider facilities, networks and computer as termination points for their VPN service.

The three VPN services I am testing right now (ProtonVPN, UnlimitedVPN, ProXPN) all use Amanah Tech as their Toronto-based exit point. If a government agency were to compromise the equipment, they could then start de-anonymizing traffic flowing through it.

By routeing your traffic through multiple (typically three), ProtonVPN owned and managed devices in secure jurisdictions first; they make the de-anonymization (even if a government agency compromises the exit node) much more challenging.

When most people think of governments monitoring internet traffic, they think of (China, Russia, Iran and Turkey). It is important to remember that the 14 Eyes also monitor internet traffic and share the data amongst themselves.

Does ProtonVPN support Peer to Peer protocols (P2P)?

Like all VPN providers, ProtonVPN does not condone the use of their service for any illegal activities (including the illegal download of copyrighted content via P2P networks). Before I start receiving hate mail, I know there are legitimate uses for P2P technologies (like Resilio Sync or Tails OS).

ProtonVPN clearly marks endpoints that they recommend you use with P2P traffic:

The double arrows mean that is a P2P supported exit node. The Onion icon next to Switzerland is an example of a location that has a TOR entry node.

Does ProtonVPN log?

ProtonVPN is built on a pedigree of privacy, and their stated logging policy exemplifies that. ProtonVPN has a No Logs policy which means they do not store any information about your connection, what you do while connected and where you connect from.

The only information they log (for security reasons) is a single timestamp of the most recent logging from your account.

ProtonVPN sign-up

Potonmail and ProtonVPN have linked accounts and payment can be made via Credit Card or Bitcoin (instructions).

ProtonVPN goes to great lengths to protect your identity, but I would still say it is a privacy tool and not an anonymization service. The best anonymization system is still the free TOR browser(you should donate to them if you haven't already).

ProtonVPN Paid Plans

ProtonVPN offers a free plan but most users will want to upgrade to the Plus paid plan.

VyprVPN which is one of the best-in-class VPN providers offers an annual paid subscription for ($6.67 a month). This plan includes their Chameleon protocol (which hides the fact you are using a VPN and makes it usable from some highly restrictive locations). One of the other VyprVPN advantages is that they use their servers and networks as exit nodes. Is the $1.33 a month worth it? That is a personal question. VyprVPN offers Chameleon, but ProtonVPN offers Secure Core. Either will serve you well, but right now I still have to recommend VyprVPN. My recommendation would quickly switch to ProtonVPN if they released clients for the other platforms. 

ProtonVPN recommendations

ProtonVPN is a good attempt but there is definitely room for improvement:

  1. Release clients for all major platforms [ongoing]: MacOS, IOS, Android.
  2. Build a VPN hiding mode to enable use in highly controlled locations (like Chameleon on VyprVPN and KeepSolid Wise on Unlimited VPN). 
  3. Create mini 2-minute tutorials for the various functions (TOR, Secure Core, P2P support, etc)
  4. Mark the Plus servers for Plus/Visionary customers
  5. Have a way of routing VPN traffic (for Plus/Visionary customers) that does not show up as a proxy on Hulu, Netflix, etc)

Conclusion

I have tested about a dozen VPN services over the last year and the top provides are:

  • UnlimitedVPN: Ease of use and speed
  • VyprVPN: Ease of use, Chameleon protocol and they use VyprVPN owned servers and networks
  • ProtonVPN: Privacy oriented Swiss-based solution

The first two are amazing if used in the right context. If ProtonVPN answered my top 5 recommendations, then they would be the clear winner, but I cannot recommend an $8 a month VPN service without native clients on key platforms. As much as I want to, I simply can't.

Right now, I would say ProtonVPN is an excellent choice if most of your use will be on Windows. Otherwise, try VyprVPN for now and check back with Proton in a couple of months to see how the service has evolved. 

Michael Moore launches Trumpileaks using strong encryption tools

GeneralEdward KiledjianComment
Image by  g4ll4is &nbsp;used under creative commons license

Image by g4ll4is used under creative commons license

American politics is an extremely divisive issue and I will not be taking any sides in this debate. The purpose of this article isn't to promote any sides but rather to talk about how encrypted communication tools are being used.

Michael Moore launched a sub-page to his domain called Trumpileaks. The purpose is to give whistle blowers a "secure mechanism" to share information. 

The website recommends a bunch of encrypted messaging apps to share information via the web or by traditional mail. It recommends the use of Signal, Peerio, WhatsApp, Encrypted Email (Protonmail), traditional mail or general email if you just don't care.

These tools are very good for general secure communication but not if you are trying to "hide" from the american intelligence community. All of these tools leave a crumb trail of meta data which can be tracked back to you and the fact this isn't mentioned is irresponsible (my opinion).

What follows is not an exhaustive operational security guide (OPSEC) but just general recommendations.

Protecting your network access

The first thing you will want to do is protect your network identity, which would be used to narrow down a list of suspects when trying to identify you. 

Connect from free WIFI

The first recommendation is to use free open WIFI in a location away from your normal living areas (home, work, etc). Chose a place that is relatively far away like a coffee shop. Before using it to leak info, make sure you visit it looking for cameras in and around the area. When visiting it do not buy anything or leave any trail you were here. 

Remember that your cell phone is a beacon that broadcasts your location constantly and turning it off doesn't work. Either leave it behind or place it in a cell phone blocking Faraday cage bag (buy or make your own). You must block your signals before leaving your house.

I recommend going to your end location using public transit (since your car can get tracked via license plate or in-car navigation). Pay using anonymous transit tokens purchased with cash.

Use an anonymous VPN

Once you have found a good location, you will need a VPN device like the Invizbox (review here or you can buy it here. Since you will use this once, I recommend buying one with 2 months of VPN access. Invizbox allows you to buy via Bitcoin so do that. Make sure you setup a non trackable one time use bitcoin wallet for this transaction and ship the device to a fake name/fake location (so it can't be tracked back to you). 

Set up the Invizbox a couple of days before using a secure machine (described later), at another anonymous WIFI location using fake information. 

Use a service like Fake Name generator to help you create your fake identity. 

When setting up your Invizbox Go, use their VPN service to connect to a location like Switzerland. but do not use their TOR service.

How to buy anonymous bitcoin

Cash is king but for some transactions you may need bitcoin. You can use a site like LocalBitcoins to find a local Bitcoin trader that will allow you to pay cash and stay anonymous. 

I am not endorsing this trader, I am providing this as an example only.

I am not endorsing this trader, I am providing this as an example only.

Keep transferred amounts small so as not to arouse law enforcement interest (less than $500 per transaction). Use a disposable cheap android phone to host your bitcoin wallet and load only 1 identity on it. 

Create a fake identity that cannot be traced back to you. Buy burner phones cash. 

Remember, making one mistake will cause your anonymity to fall.

Protecting your Operating System

Use a secure Operating System with TOR

Your computer can be compromised to leak your identity. Even without being compromised, it leaks your identity all the time. Not only do you leak data but the unique setup of your computer leaks your digital fingerprint to any site that wants to track you (article here). If you want to test this yourself, check out Panopticlick

Hopefully you now agree that traditional operating systems aren't secure enough for the purposes of anonymity. You will need an Amnesic Incognito Live System called TAILS. This is a free operating system that you boot from a USB key that is fresh everytime you use it and doesn't leave any forensic traces on the machine it was used on. 

Tails also routes all internet traffic through TOR or I2P (use TOR). So you will use the Invizbox Go to tunnel to Switzerland and then you will use Tails with TOR to get to the dark web.

Tails is built for privacy and has a specially designed browser to minimize tractability. Ensure you follow the instructions to double check the integrity of the file you download. You will then need 2 fresh USB keys to built the final Tails USB bootable system.

You will have to make sure you laptop is compatible.

Protecting your transmission

Secure email

If you are going to use email, then make it as secure and anonymous as possible. Use a free Potonmail account (review here) via TOR. 

Anonymize your style - Stylometry

Well funded threat actors and nation state intelligence are able to identify people using stylometry. This is a technology that analyzes your writing style and then uses this knowledge to de-anonymize your content on darknet sites. 

Think of stylometry as a digital fingerprint built against your writing style (how to evade stylometry) . You may also want to checkout the Anonymouth tool  from The Privacy, Security and Automation Lab (PSAL) Drexel University, Philadelphia PA. 

Using Anonymouth will allow you to engage online while minimizing the intelligence community's ability to perform stylometry on you.

Michael Moore should setup a TOR SecureDrop service

The best way to send information as a leaker is to use a TOR service hosting SecureDrop (create by internet privacy advocate Aaron Swartz). It is an encrypted dead drop used by journalists to collect info from whistle-blowers while protecting their identity. 

The Freedom of Press Foundation has taken over the project since Aaron's death and helps media organizations install and run the tool. the FPF is addressing all of the shortcomings of the original tool

Don't trust printed leaks

You may be thinking printing and mailing is the best option but it isn't. Many printers have a hidden feature which adds invisible identification to every printed page (see EFF article here). These "invisible" yellow dots allow intelligence agencies and police to track down which printer printed a document. Recently this technique was used to track down an NSA leaker when a picture of a leaked document was show by The Intercept and the NSA found out the document was printed on one of its documents.

If you are interested, you can read about this technique here

Conclusion

Simply following the basic instructions on the Trumpileaks website is irresponsible and dangerous. Ask yourself what would be the impact if the leak was tied back to you?  Are you willing to live with the consequences?

Even with strong knowledge and good security hygiene, perfect anonymity does not exist on the internet. If you are determined to leak, learn how to do it and take the above precautions but know there is always a risk you will be discovered.