Insights For Success

Strategy, Innovation, Leadership and Security

Anonymous

What is The Onion Router and is it secure

GeneralEdward Kiledjian

To provide its agents with a safe and secure means of communicating with each other without being tracked, the US Navy developed the TOR project. TOR stands for "The Onion Router." TOR sends your data via a network of nodes, or "onions," each of which encrypts your data before forwarding it to the next node. Consequently, it is challenging for anyone to trace your data back to you.

The TOR project is now managed by the TOR Foundation, a not-for-profit organization. TOR Foundation is devoted to researching and developing free and open-source software for privacy and anonymity. Individuals and organizations donate to the TOR Foundation, and governments and foundations provide grants.

TOR addresses are used to disguise your actual IP address and prevent tracking of your online activities. TOR addresses are composed of random letters and numbers, making them virtually impossible to guess. Your traffic is routed through the TOR network when you access a website using a TOR address, which makes it very difficult for anyone to determine your real IP address or track your online activities.

TOR is not just used by hackers and drug dealers but also by ordinary users. TOR may interest anyone who wishes to keep their online activities private. TOR is a very secure network, and the data is challenging to trace. There is much technology behind TOR, but it is a highly effective method of preserving the privacy of your data.

It is possible to deanonymize TOR users.

It is, however, a challenging task. The data transmitted through the TOR network is encrypted, and each node in the network only knows the IP address of the previous node and the next node. As a result, it is challenging to trace the data back to its original owner. Nevertheless, in rare instances, law enforcement has been able to deanonymize TOR users.

Law enforcement can deanonymize TOR users in several ways. An example of this is by exploiting vulnerabilities in the software that is used to access the TOR network. It is also possible to determine which nodes in the network are being used by the same user by traffic analysis. It is, however, challenging to deanonymize a large number of users using these methods.

To prevent being deanonymized, there are a few steps you can take. First, ensure that you use the TOR software's most recent version. Additionally, you may use a VPN or other anonymizing service in addition to TOR. By doing this, law enforcement will have difficulty deanonymizing you. Last but not least, you should be careful when sharing information online. Be careful not to post anything that could identify you, and be cautious about the websites you visit.

TOR is constantly evolving, and new features are continually being added.

What are the most significant drawbacks of TOR?

One of the most significant disadvantages of TOR is its slow speed. In addition, since your data is being routed through multiple nodes, each node must encrypt and decrypt your data. Furthermore, TOR is sometimes blocked by websites and Internet service providers. Some internet content may be difficult to access as a result.

What makes Tor more secure than a traditional VPN?

Since TOR uses a series of nodes, or "onions," to encrypt your data, it is more secure than a traditional VPN. Consequently, no single individual or entity has access to your entire flow. Tracing individual traffic on the TOR network back to a single individual is challenging. In contrast, a VPN operator sees all your traffic since it passes through their system.

What is the relationship between TOR and the Darknet/Darkweb?

The TOR network is not synonymous with the Darknet. TOR can be used for both legal and illegal purposes. Darknet is a small portion of the internet that can only be accessed through special software, such as TOR, and is frequently used for criminal purposes.

In addition to Tor, what other networks offer privacy and anonymity?

In addition to TOR, a few other networks provide similar levels of privacy and anonymity. These types of networks include I2P, Freenet, and ZeroNet. Despite this, TOR is by far the most popular and widely used of these networks.

Keywords: TOR, anonymity, online privacy, Darknet, VPN, I2P, Freenet, ZeroNet.

The New York Times now available on TOR

GeneralEdward Kiledjian
I do not agree with what you have to say, but I’ll defend to the death your right to say it.
— Voltaire

When the average consumer thinks about TOR (which isn't very often), they imagine that it is the ugly, damp & rancid underbelly of the internet. 

Reality is that TOR is a US government-funded project to create anonymity on the internet. It is a platform that allows everyone to have a voice without fear of punishment or even death (think political activists).

No technology is perfect, but TOR is a very powerful tool for human rights activists and other dissidents. 

In a 2015 The Intercept article, Edward Snowden goes as far as saying "I think Tor is the most important privacy-enhancing technology project being used today. " & " What Tor does is it provides a measure of security and allows you to disassociate your physical location."

Proof that TOR isn't just for drugs and counterfeit goods is the fact many reputable organizations have started to create their own TOR presence. 

The New York times launched it's TOR Onion Service website (in late October) as a secure way of making its content available to people around the world that may otherwise not have access to its content (China, Iran, etc.)

When companies moved to the web 15-20 years ago, sites were less reliable as companies tried to figure out how this "web thing" worked. TOR is the same today. Sites Like the New York Times are still trying to figure out how to efficiently use TOR, and therefore you should assume these sites are all in beta status. 

The New York Times reports on stories all over the world, and our reporting is read by people around the world. Some readers choose to use Tor to access our journalism because they’re technically blocked from accessing our website; or because they worry about local network monitoring; or because they care about online privacy; or simply because that is the method that they prefer.
— The New York Times

You can access The New York Times TOR ONION Service site here : https://www.nytimes3xbfgragh.onion/ [remember this doesn't work via the "normal web". 

Review of HideMyAss VPN (HMA)

GeneralEdward Kiledjian

After writing my first VPN service review a couple of weeks ago, I asked my readers "what other VPN services" I should evaluate. A much-requested one was HideMyAss (HMA), so here is that review.

You can't evaluate VPN service providers without seeing HideMyAss.  They have ads everywhere. My first experience with HMA was through a 1-month free offer provided by Anonabox

Most security blogs and posts on review sites give HideMyAss a poor rating because they have (allegedly) turned over user log information to authorities (without putting up a fight).  Others complain that the service is "feature light".

HideMyAss has a massive network of termination points (one of the biggest in the world). 

HideMyAss cost

HideMyAss has increased its prices over the years and has a single tier plan (aka you don't pay for usage volume or number of connected devices).

Your commitment term determines your monthly price. At $6.99 for 12-months, they are competing with the likes of VyprVPN and ProtonVPN. HideMyAss is almost double the price of Internet Private Access (IPA), which is regarded as one of the best from a privacy-guarding perspective. Another much more popular cheaper alternative is UnlimitedVPN.

Once a season, HideMyAss does run a 50% off promo so....

HideMyAss features

The first major feature is the sheer size of its VPN network. HideMyAss offers 720+ VPN servers in 320+ locations in 190+ countries.

Now we get to the less feature part of our program. HideMyAss VPN support's two simultaneous connections per subscriber. ProtonVPN supports 2 with it's $4 a month basic plan. VyprVPN supports five simultaneous connections with its $6.67 a month plan. VPN Unlimited is offering a $49.99 lifetime plan with five simultaneous connection support. 

HideMyAss supports OpenVPN, PPTP and L2TP. 

People who buy HideMyAss aren't power users but people who are looking for a "simple" VPN solution with an extensive termination network. They support terminations in locations like Servia and Malawi.

Is HideMyAss Secure and Private?

So many security forums and Reddit threads discuss how HideMyAss (allegedly) turns over user data to police with little pushback. The most prominent example of this accusation is a 2011 situation where it is believed HMA turned over user information for Cody Kretsinger. Cody Kretsinger was a member of LulzSec and arrested by police for hacking Sony Pictures (he was convicted of the crime). 

There are dozens of other such claims, just do a quick Google search.

Reading the End User License Agreement, you learn that HideMyAss (Privax) is a UK company and is now owned by Avast (a Czech company). The UK is not known as a haven for privacy (e.g. snoopers charter). Most UK providers must maintain rich metadata logs.

The HideMyAss privacy statement for their VPN service says "We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service. We collect aggregated statistical (non-personal) data about the usage of our mobile apps and software." HMA claims this information is kept for 2 to 3 months but the UK Investigatory Powers Act requires that this type of information be kept for 12 months.

Does HideMyAss allow Peer2Peer networking? The answer is Yes for legal content and no for illegal ones. Here is an example of a Reddit thread where a user claims HMA cut-off his service for downloading copyrighted content. In this thread, a user called neonovo says "Yes, two dmca notices from the vpn hide my ass, which as they did not hide my ass I did some much-needed research and found btguard.

I do not condone downloading copyrighted material or breaking any laws but knowing your VPN will (allegedly) roll over quickly is not comforting.

If you want to download torrent based content (legal of course), you should check out the list of torrent friendly providers maintained by TorrentFreak

Is HideMyAss secure?

I emailed HideMyAss support asking for details about its encryption technologies and directed to this support write-up. This write-up does not answer any of my questions about what cyphers are used and how. I believe some of their protocols (like L2TP) use pre-shared keys (which is a bad thing).

Without any additional information, I have to assume the worst and say "I don't consider HideMyAss secure at this point". My starting position is to assume technology is insecure unless proven otherwise.

I could not find DNS leak protection as an option in the Windows client, but my tests showed that it did not leak DNS information. 

HideMyAss performance

Assuming everything above didn't scare you away, you may be wondering about performance. Anytime I perform a VPN test; it is done using a 100MB fibre connection (<10ms ping) with a cleanly installed and patched Windows 10 computer connected directly to the internet connection. 

Some HideMyAss connections had excellent performance, and other's cut my throughput by more than 50%. Through trial and error, you will be able to find the servers that work best for you, but there is no automated performance cataloguing function. 

One item I will add here is the ability to get US Netflix. I  test this with every VPN and Netflix never works, except this time it did with one of the US servers I tested. Since it did not work consistently, I am assuming there were a couple of IP addresses Netflix hadn't catalogued as VPN yet. 

Conclusion

I don't use VPN to hide illegal activities. I use VPN to protect my privacy when I am using untrusted networks or from my ISP [read Your ISP is tracking you]. With everything that I learned during this review, I can't recommend HideMyAss. There are so many better options (in my opinion) that you shouldn't settle for a company that doesn't go the extra mile. 

Review of Private Internet Access (PIA)

GeneralEdward Kiledjian

The question I receive the most is "what VPN service should I use when I travel?".  I started writing and testing the most popular ones and so far you can read these ones:

The next most requested service is Private Internet Access (referred to online as PIA). 

Introduction

Private Internet Access (PIA) is one of the most popular and affordable VPN service providers around. At last count, PIA offers 3,193 servers hosted in 24 countries. PIA belongs to an organisation called  London Trust Media, Inc. 

The tech

Private Internet Access is an easy choice for the general consumer because of the wide range of clients it supports: MacOS (10.4 and newer), Windows 7/8/10, Unix/Linux, Ipad/iPhone (PPTP, IPSEC, L2TP), Android (PPTP, IPSEC, L2TP, OpenVPN), DDWRT, Tomato OpenVPN, PfSense OpenVPN.

It not only securely reroutes your traffic but it can also block ads, trackers and malware. It does support P2P traffic and has a strict no log policy. 

Rick Falkvinge, head of privacy at PIA, talking about their no log policy and why it's important.

The client

Their clients are simple and straightforward but offer interesting features like the level of encryptions, DNS leak protection and a kill switch (to stop all traffic if the VPN drops).

It will let you pick a region to exit from but not a particular server. 

PIA allows you to connect up to 5 devices simultaneously. 

The speed

For comparison purposes, I tested PIA against ProtonVPN, ProXPN, UnlimitedVPN and VyprVPN. All terminating in Canada. My connection to the internet was a machine connected straight into my internet router with no other traffic (keeping all the variables controlled). The machine was a freshly imaged version of Windows 10 with all of the latest patches applied and only Google Chrome installed.

My connection is a 100MB down / 10 MB up. Without a VPN I usually get performance slightly better than advertised. With VyprVPN (the fastest), I managed to get close to 95MB down / 9.6 MB up. With PIA, I managed to get 87 MB down / 7 MB up. 

My ping without a VPN was below 12 ms but hit around 25-50 with PIA. 

Netflix?

People want to know if they can access US Netflix via PIA and based on my testing, the answer is: almost never. During my testing, Netflix detected the PIA connection and blocked access. A small number of recent online comments (on various sites) said Netflix worked for them but I was not able to reproduce it.

Support

I had no need for support but read dozens of complaints online about their support. Your mileage may vary. 

Price

The annual price here is a no-brainer: $39.95US a year everything included. This is an incredible deal. VyprVPN comes in at ~$80 a month (paid annually). 

Conclusion

PIA offers a trusted and well respected VPN service for a very competitive price. If you need a layer of protection from your ISP then this is definitely an option you need to consider. Advanced users may find the sparse low granularity interfaces annoying but then again, sometimes you just want things to work without having to tinker. 

Honest review of the ProtonVPN service

GeneralEdward Kiledjian

UPDATE 7/5/2017: My connection to the ProtonVPN endpoints using their Windows client is extremely unreliable. At random intervals, the connection just "stops working" and the only way to fix it is to connect to a new location. I have had a support request open for over 1.5 weeks and my issue hasn't been resolved yet. I cannot recommend the ProtonVPN service at this time for the reasons listed below and because my experience has been unstable (and support has been slow to non-existent).

------------------------------------------------------------------

Since the official public launch, I have received dozens of emails (and Twitter DMs) from readers asking me to review ProtonVPN. 

A group of scientists with a track record of building secure products (ProtonMail) designed ProtonVPN from the ground up to be safe and privacy-enhancing.  The promise is that they will bring the same end to end encryption model to the highly uncertain world of VPN.

They talk a lot about the benefits of being headquartered in Switzerland, and many of their statements are accurate. Let's talk about the Five Eyes

Who are the "Five Eyes"?

With the Edward Snowden leaks, we learned about the complex data collection agreements between "friendly" countries. The first significant agreement is called the UKUSA agreement and is an agreement by the United Kingson, United States, Australia, Canada and New Zealand to collect, analyse and share intelligence information with each other.

This group is referred to as the "five eyes" because of their laser-like focus on sucking up incredibly massive amounts of data and sharing it with their "partner" intelligence friends. Some have even accused these countries of using this partnership to circumvent local laws designed to present local intelligence agencies from spying on their people (they get another five eyes Country to do it and report back).

So the Five Eyes countries are:

  1. Australia
  2. Canada
  3. New Zealand
  4. United Kingdom
  5. United States

Not wanting to be left out, other countries soon sought membership in this coveted group, and now we believe the extended group should be called the 14 eyes:

  • Denmark
  • France Netherlands
  • Norway
  • Belgium
  • Germany
  • Italy
  • Spain
  • Sweden

Switzerland is not part of the 14 eyes (or five eyes)

So protonVPN is located in a much more privacy friendly jurisdiction that does not have a formal intelligence gathering and sharing agreement with the rest of the world.

ProtonVPN technology

ProtonVPN uses industry standard OpenVPN with UDP or TCP. It currently has a ProtonVPN branded Windows client.

As I write this, ProtonVPN allows you to use any OpenVPN client with their service which is how you can connect from IOS, Android, MacOS or Linux. We are being promised clients for these platforms, but there is no firm committed to date.

In this day and age, it is unacceptable for a mainstream VPN service to not have its own client on these core platforms. Especially when ProtonVPN is charging premium rates for their services.

Does ProtonVPN slowdown my connection?

I did extensive testing of the ProtonVPN service from various internet connections (home, office, coffee shops and three different cell phone providers). I also used different clients (Windows, MacOS, Android and IOS). 

If you are using (non-secure core) close by exit node with low traffic, the performance hit is usually 5-12%. This is no better or worse than other high-quality VPN providers. When you turn on secure core routeing, you can lose 20-45% of your connection speed because it is sending your traffic through 3 secure data centres plus the exit node. 

What is the Secure Core Technology?

Secure Core is a nice enhancement to traditional VPN technologies that pass your traffic through multiple ProtonVPN owned and managed servers before finally delivering it to the exit node. 

Why Secure Core?

Secure Core was created to add additional protection when your exit node is in a "high risk" jurisdiction. As an example, you may want to exit in the US to gain access to geographically locked content but want to ensure your privacy is protected (knowing that almost all US traffic is captured, analysed and stored).

What does Secure Core protect against?

Leaked documents have shown that governments can deanonymize TOR traffic by controlling a large number of TOR exit nodes. The same can be done using VPN exit nodes. Most providers use local service provider facilities, networks and computer as termination points for their VPN service.

The three VPN services I am testing right now (ProtonVPN, UnlimitedVPN, ProXPN) all use Amanah Tech as their Toronto-based exit point. If a government agency were to compromise the equipment, they could then start de-anonymizing traffic flowing through it.

By routeing your traffic through multiple (typically three), ProtonVPN owned and managed devices in secure jurisdictions first; they make the de-anonymization (even if a government agency compromises the exit node) much more challenging.

When most people think of governments monitoring internet traffic, they think of (China, Russia, Iran and Turkey). It is important to remember that the 14 Eyes also monitor internet traffic and share the data amongst themselves.

Does ProtonVPN support Peer to Peer protocols (P2P)?

Like all VPN providers, ProtonVPN does not condone the use of their service for any illegal activities (including the illegal download of copyrighted content via P2P networks). Before I start receiving hate mail, I know there are legitimate uses for P2P technologies (like Resilio Sync or Tails OS).

ProtonVPN clearly marks endpoints that they recommend you use with P2P traffic:

The double arrows mean that is a P2P supported exit node. The Onion icon next to Switzerland is an example of a location that has a TOR entry node.

Does ProtonVPN log?

ProtonVPN is built on a pedigree of privacy, and their stated logging policy exemplifies that. ProtonVPN has a No Logs policy which means they do not store any information about your connection, what you do while connected and where you connect from.

The only information they log (for security reasons) is a single timestamp of the most recent logging from your account.

ProtonVPN sign-up

Potonmail and ProtonVPN have linked accounts and payment can be made via Credit Card or Bitcoin (instructions).

ProtonVPN goes to great lengths to protect your identity, but I would still say it is a privacy tool and not an anonymization service. The best anonymization system is still the free TOR browser(you should donate to them if you haven't already).

ProtonVPN Paid Plans

ProtonVPN offers a free plan but most users will want to upgrade to the Plus paid plan.

VyprVPN which is one of the best-in-class VPN providers offers an annual paid subscription for ($6.67 a month). This plan includes their Chameleon protocol (which hides the fact you are using a VPN and makes it usable from some highly restrictive locations). One of the other VyprVPN advantages is that they use their servers and networks as exit nodes. Is the $1.33 a month worth it? That is a personal question. VyprVPN offers Chameleon, but ProtonVPN offers Secure Core. Either will serve you well, but right now I still have to recommend VyprVPN. My recommendation would quickly switch to ProtonVPN if they released clients for the other platforms. 

ProtonVPN recommendations

ProtonVPN is a good attempt but there is definitely room for improvement:

  1. Release clients for all major platforms [ongoing]: MacOS, IOS, Android.
  2. Build a VPN hiding mode to enable use in highly controlled locations (like Chameleon on VyprVPN and KeepSolid Wise on Unlimited VPN). 
  3. Create mini 2-minute tutorials for the various functions (TOR, Secure Core, P2P support, etc)
  4. Mark the Plus servers for Plus/Visionary customers
  5. Have a way of routing VPN traffic (for Plus/Visionary customers) that does not show up as a proxy on Hulu, Netflix, etc)

Conclusion

I have tested about a dozen VPN services over the last year and the top provides are:

  • UnlimitedVPN: Ease of use and speed
  • VyprVPN: Ease of use, Chameleon protocol and they use VyprVPN owned servers and networks
  • ProtonVPN: Privacy oriented Swiss-based solution

The first two are amazing if used in the right context. If ProtonVPN answered my top 5 recommendations, then they would be the clear winner, but I cannot recommend an $8 a month VPN service without native clients on key platforms. As much as I want to, I simply can't.

Right now, I would say ProtonVPN is an excellent choice if most of your use will be on Windows. Otherwise, try VyprVPN for now and check back with Proton in a couple of months to see how the service has evolved.