Jump to content
Not connected, Your IP: 18.217.161.27
Ricnvolved1956

A Request for AirVPN Staff

Recommended Posts

Those of us who come to this forum to stay current on topics discussed here are aware of the passage of the draconian surveillance law now in effect in England. I tend to think this will, at some point, affect all who use Air regardless of which country you live in. I'm in the U.S. but before the law even kicked in, I made the decision to no longer direct any of my web activity through any of Air's U.K. servers. However, many Air customers probably don't have that luxury and necessarily have to go through the U.K. servers to bypass geolocation restrictions, etc. Very likely there are quite a number of AirVPN customers concerned as to what happens next and would welcome an official announcement from Air staff about this scary new reality.

 

I'm sure the Air staff are fully aware of the new internet landscape and perhaps the service's legal attorneys are closely evaluating the language of the new law so as to figure out what changes, if any, need to be made here at Air. With that in mind, I now welcome someone from Air's staff to post an official statement. In the event it's still too soon to provide a detailed evaluation of where things go from here, at least post an acknowledgment of the new law and an approximate timetable of when they think there will be something substantial to report.

 

This new law really is cause for concern and most surely will be a technological challenge for all legitimate vpn services no matter their base of operations. We here at AirVPN welcome the staff's leadership and guidance going forward.


During times of universal deceit, telling the truth becomes a revolutionary act. —George Orwell

The further society drifts from truth the more it hates those who speak it. —George Orwell

A lie is as good as the truth when everyone believes.

No one ever lost a dime underestimating the intelligence of the amerikan public. {Generally attributed to H.L. Mencken}

THANK YOU: Russia Today; Edward Snowden; Julian Assange; John Kiriakou; Thomas Drake; William Binney; Ray McGovern; Kirk Wiebe; Matt Taibbi; Sputnik News

Share this post


Link to post

I actually think that most of the people who do NOT live in the U.K. are massively blowing this out of proportion. Let's think logically about this for a second. I mean really put our thinking caps on here, instead of being conspiracy theory folks. Here are a few things that I have thought of:

 

1. AirVPN is not an ISP.

 

2. The hosting companies that AirVPN contract with are not ISPs.

 

3. AirVPN is not a U.K. Company.

 

4. AirVPN owns the baremetal servers and has access to all of the logging functions.

 

5. Even if there is some kind of downstream /upstream, ISP / Backbone logging going on what use would that be in pinpointing what any single user is doing? So we have 100+ people connected to AirVPN's server. All of the activity is on the same shared IP. AirVPN's internal system isn't logging which originating IP address is doing what. The theoretical upstream / downstream ISP logging is seeing AirVPN exitIP visiting thousands of sites, and cannot connect that ExitIP to any single user due to the nature of the sharedIP system.

 

What exactly is the issue? AirVPN can't be forced to comply with the UK's new laws any more than they can be forced to comply with the DCMA in the United States. Any incidental snooping data gathered in the U.K. Would be useless in identifying any of us individually.

Share this post


Link to post

Hello!

 

It would be nice if Air would make a habit out of making statements about the biggest/worst pieces of legislation, when they're enacted. Even if it's a simple "We know what's happening and we'll report back within X weeks about it". Even if it's a short message saying "Hi, Rule 41 affects us in ways 1, 2 and 3. But not in ways 4, 5 and 6, have a nice day muahhh" hahah. Then we'd all share that around like mad.

 

That would be nice . Then if they were really ambitious, they could have a small 5 question FAQ, with stuff like "Is Air affected? If yes, how?", "Does Air think it may have to close servers in country X?" and so on. It could preempt a lot of the questions .

 

@Khariz

1-3 seem (respectfully speaking) irrelevant to me, as that sort of legislation only serves to legitimise past (illegal) behavior, by for instance intelligence agencies. Besides, I'm sure they could always expand on the legislation if they needed (extended) hacking powers. GCHQ once hacked a Belgian ISP. So I don't see them having issues with Italian Air, legally. As for 5, the methodology can always be questioned. Sometimes all it takes is a little JavaScript to reveal even Tor users.

 

The issue is that these various kinds of legislation pose an increasing threat to people who use the Internet. Thus to stop the spread of FUD, it would be beneficial if Air Staff tried to communicate their thoughts on the matter. People absolutely love it when they do. I think if you only read the exact letter of the law, you risk blinding yourself, as you'll think "if it doesn't say so in the law, then it can't happen". Maybe you won't think it's blown out of proportion, once all other EU countries enact similar or perhaps even worse versions of the UK Snoopers Charter. What then? It's important to deal with things ahead of time, to prevent FUD; Fear Uncertainty Doubt. Not to say "it doesn't affect me, so it's ok". I also think you do a disservice to readers by calling it conspiracy theory - when these past few years have proven many "conspiracy theorists" right, in regards to state surveillance.

 

That said, I have enough trust in Air to think that they'd both act and state their intentions, if they believed it was relevant . It's always nice to hear things directly from the horse' mouth though.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

"nice to hear things directly from the horse' mouth"

Horses are not allowed to talk, the mafia bookmakers would shoot them.

 

Here is a thread from a popular forum in Australia about gagging of the data collectors:

http://forums.whirlpool.net.au/forum-replies.cfm?t=2574156

 

From the boss ISP representative:

"We have received written advice from the Attorney General's Department that we are not permitted to publicly discuss our Data Retention practices, ..."

 

Some of the discussion may not be relevant, but the Surveillance State apparatus is similar in au, uk.

As Julian Assange shows, they have ways of making you NOT talk.

 

Share this post


Link to post

I think you kind of missed my point (or chose to purposely ignore it, which is fine).  My point was "who cares what these laws say, because they can't change the physical reality of how AirVPN runs their servers, and how the internet, VPNs and encryption works at the base level."

 

The administrator of another privacy conscious VPN (CryptoStorm) recently said this about their Russian servers (and I think the logic applies to this discussion, and explains what I'm trying to say much more verbosely):

 

 

 

. . . His question was related to our new Russian node:
"@cryptostorm_is how are you working with the new laws in Russia requiring you to keep logs as a VPN provider, for this node?"

The short answer is: "We're not".
The law doesn't specify VPNs as providers, however the law does say that "state regulators" will be the ones who determine what is and isn't a provider, or rather "information-distribution organizers".
So it's possible that they could request logs from us (or rather that we start logging), but we're not Russian. 
We have no obligation to abide by Russia's laws.
The data center where this new node is physically located could be asked to start doing this though.
That means they could start logging packets leaving the server (logging the ones coming in is rather pointless since they're encrypted), which is why I always tell people that even when using a VPN you still must use SSL/TLS (encryption) on any protocol you're using.
Whenever your packets leave our servers for the internet, the usual security rules apply.
If an attacker/police/whatever were to gain access to a data center we rent from, or any hop/route between our server and the destination IP of the thing you're connecting to, they would be able to see that traffic if you're using a plaintext protocol.

Another thing to consider is that even though the content of incoming packets is encrypted, the metadata (headers) will have your IP in there if you're connecting directly to the server.
So if the person/group doing the monitoring also knows that you'll be connecting to a specific destination and they also control that destination, then the metadata could be used to correlate your traffic with what's received by the destination.
So if that threat model is a possibility in your scenario, you should be using voodoo, or several tunnels, or connecting to tor before or after connecting to CS (or all of the above).

The final possibility is that because we're not complying with the laws, Russian authorities could confiscate the server. If that were to happen, they would find no useful logs that could be used to identify any of our customers or their traffic, nor would there be any private keys on the server that could be used to decrypt the traffic of another server of ours. If any attempt was made to obtain these keys or attach something that could be used to intercept traffic after it's decrypted, our security setup would notice and prevent it, and I would be immediately notified. At that point, I would log into the server and kill all services, then most likely do some unnecessary encrypting of random/meaningless files just to screw with anyone who will be doing forensics later icon_e_smile.gif

The main reason I decided to buy this server in Russia is because I know that these "forced logging"/"data retention" laws are irrelevant. All of the scenarios listed above apply to all servers, not just the ones with laws regarding data retention. Just because a region doesn't have any specific laws regarding logging or data retention (and even if they have laws that supposedly prevent such things), it does not mean that your potential adversaries aren't going to do that type of monitoring regardless.
This is also why it's pointless for people to avoid servers located in the "five eyes" or "nine eyes" countries in order to prevent your traffic from being collected. It doesn't matter where in the world the server you're connecting to is located, all internet traffic is recorded.
It may be illegal to do such surveillance in your region, but most adversaries with the capability to do so don't abide by the law.
That is why you should be using end to end [very strong] encryption for everything you do.
If you're using any plaintext protocol on any server in the world, someone can read it if they know to look for it.
With very strong encryption (along with good keys/passwords), brute force will take such a long time that is becomes infeasible. Keep in mind that quantum computers will soon become a thing, which can be used to break encryptions once thought secure. Fortunately, post-quantum cryptography is already a thing -https://github.com/vscrypto/openssl-ringlwe

Share this post


Link to post

@Khariz As a software developer who has worked with virtual machines, debuggers and low level firmware this sort of "defense analysis" entices one to think of techniques to penetrate as a "professional challenge". But disclaimer - I do not keep across computer security at the level of reading Black Hat security conference papers etc, and just a bit of googling in this area makes me paranoid and glad to be using a VPN.

<p>

One discovery was this: https://software.intel.com/en-us/blogs/2016/02/26/memory-encryption-an-intel-sgx-underpinning-technology and associated whitepaper etc. It explains the problems being addressed.

<p>

Various things could happen by agents having physical access to server boards and chips in datacenters, possibly at 3am on a Sunday morning with entry arrangements with center security.

<p>

The semantics of "no logging" do not reassure me. In my experience with movies and books, spying agencies monitor and gain information without the target being aware, "turning" them to provide logging and handing it over is another matter.

Share this post


Link to post

Various things could happen by agents having physical access to server boards and chips in datacenters, possibly at 3am on a Sunday morning with entry arrangements with center security.

 

Everyone who is "worth" that kind of operation is not relying only on VPNs, obviously. There are other, lower hanging fruits law enforcement exploits in order to penetrate targets.

Check out the latest Firefox exploit for a good example, although it is not Firefox per se, it was tailored against Tor Browser users mostly, who were using Windows.

Backdooring VPN servers isn't one of them - too noisy, too expensive, too hard to coordinate without a chain of court orders. Out of reach for most "regular" police departments.

If your threat model includes NSA and other "above the law" agencies - read my first sentence.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Yeah, what Zhang is saying. I would like to hope that anyone posting on these message boards is not actually trying to hide from State actors. If you are, you are probably already doing it wrong.

 

But to say that some guy who lives in Germany shouldn't use a UK AirVPN server because of the Snoopers Charter? It just kind of makes me chuckle a little. Oh no, the downstream snooper of the data center's packets are going to know that one of the hundreds of users of one of the data center's servers are looking at porn, downloading torrents, and researching network security. They have no clue who the guy is, where he lives, or what his IP address is. And if by some chance they did figure those things out, they would say "well damn, he lives in Germany".

 

If you are being persued by the NSA or other some such organization, then not only should you not be using the U.K. AirVPN servers, you probably should not be be using any commercially available VPNs at all. Though I guess if you had to, using AirVPN over Tor would probably be your best bet, if the rest of your OpSec was sound.

Share this post


Link to post

Well well well! Some highly interesting and informative responses. My thanks especially to Khariz for lessening my paranoia... some. As a result I've reloaded the config generator files for the U.K. and Ukrainian servers.

 

I personally don't take offense with Khariz having a good chuckle at the fuss and bother of this topic thread. Getting that kind of knowledge is why I've begun hanging around this forum more than before. I'm one of the AirVPN users/customers technologically challenged and glad there are folks here who can help to educate others like myself. I dare to venture that the overwhelming majority of Air's customers are not genuinely malicious actors on the world stage actively trying to evade the surveillance goons. Speaking for myself, I seek out the most private and secure ways to use the internet out of equal parts principle and defiance. The revelations from Edward Snowden... Julian Assange... Thomas Drake... John Kiriakou... William Binney... Kirk Wiebe... Ray McGovern... and many, many others who are anonymous..... I take what they have to say in deadly earnest. Those men are true heroes to me. ALL of them have made enormous personal sacrifices to alert the world of the very real danger of government intrusion and overreach. Their effort on our behalf is surely a thankless task, which will be more thankless if too many ignore their warnings. In the words of Joni Mitchell: "Don't it always seem to go... you don't know what you got till it's gone..." Far too many who go online either are blissfully unaware of the dangers these men are trying to warn us about, or they've chosen to shrug in complacency, convinced the fight is already lost.

 

So, Khariz-- No, I'm not one of the true bad actors you referenced. In the overall scheme of things, I really don't have that much to hide beyond keeping my personal information private. But that's really not the point for using AirVPN, is it? I'm just a teeny tiny fish in this huge internet ocean, exercising my teeny tiny act of defiance. My hope is that others are concerned enough to join my little act of defiance to make it clear we're not about to roll over just because some entrenched, power mad bureaucrats tell us that we must because, "It's to keep you safe." It has very little to do with keeping anyone safe and everything to do with accumulating every scrap of power they can get away with. It's purely political and no one will ever convince me otherwise.

 

I read "1984" in high school and the impression it made was powerful and has stayed with me 45 years later. That kind of future may yet be the fate of this planet and if it does happen while I'm still around.... I'll go kicking and screaming before the goons toss my ashes down the memory hole.


During times of universal deceit, telling the truth becomes a revolutionary act. —George Orwell

The further society drifts from truth the more it hates those who speak it. —George Orwell

A lie is as good as the truth when everyone believes.

No one ever lost a dime underestimating the intelligence of the amerikan public. {Generally attributed to H.L. Mencken}

THANK YOU: Russia Today; Edward Snowden; Julian Assange; John Kiriakou; Thomas Drake; William Binney; Ray McGovern; Kirk Wiebe; Matt Taibbi; Sputnik News

Share this post


Link to post

 

I think you kind of missed my point (or chose to purposely ignore it, which is fine).  My point was "who cares what these laws say, because they can't change the physical reality of how AirVPN runs their servers, and how the internet, VPNs and encryption works at the base level."

 

The administrator of another privacy conscious VPN (CryptoStorm) recently said this about their Russian servers (and I think the logic applies to this discussion, and explains what I'm trying to say much more verbosely):

 

 

 

 

. . . His question was related to our new Russian node:

"@cryptostorm_is how are you working with the new laws in Russia requiring you to keep logs as a VPN provider, for this node?"

 

The short answer is: "We're not".

The law doesn't specify VPNs as providers, however the law does say that "state regulators" will be the ones who determine what is and isn't a provider, or rather "information-distribution organizers".

So it's possible that they could request logs from us (or rather that we start logging), but we're not Russian. 

We have no obligation to abide by Russia's laws.

The data center where this new node is physically located could be asked to start doing this though.

That means they could start logging packets leaving the server (logging the ones coming in is rather pointless since they're encrypted), which is why I always tell people that even when using a VPN you still must use SSL/TLS (encryption) on any protocol you're using.

Whenever your packets leave our servers for the internet, the usual security rules apply.

If an attacker/police/whatever were to gain access to a data center we rent from, or any hop/route between our server and the destination IP of the thing you're connecting to, they would be able to see that traffic if you're using a plaintext protocol.

 

Another thing to consider is that even though the content of incoming packets is encrypted, the metadata (headers) will have your IP in there if you're connecting directly to the server.

So if the person/group doing the monitoring also knows that you'll be connecting to a specific destination and they also control that destination, then the metadata could be used to correlate your traffic with what's received by the destination.

So if that threat model is a possibility in your scenario, you should be using voodoo, or several tunnels, or connecting to tor before or after connecting to CS (or all of the above).

 

The final possibility is that because we're not complying with the laws, Russian authorities could confiscate the server. If that were to happen, they would find no useful logs that could be used to identify any of our customers or their traffic, nor would there be any private keys on the server that could be used to decrypt the traffic of another server of ours. If any attempt was made to obtain these keys or attach something that could be used to intercept traffic after it's decrypted, our security setup would notice and prevent it, and I would be immediately notified. At that point, I would log into the server and kill all services, then most likely do some unnecessary encrypting of random/meaningless files just to screw with anyone who will be doing forensics later icon_e_smile.gif

 

The main reason I decided to buy this server in Russia is because I know that these "forced logging"/"data retention" laws are irrelevant. All of the scenarios listed above apply to all servers, not just the ones with laws regarding data retention. Just because a region doesn't have any specific laws regarding logging or data retention (and even if they have laws that supposedly prevent such things), it does not mean that your potential adversaries aren't going to do that type of monitoring regardless.

This is also why it's pointless for people to avoid servers located in the "five eyes" or "nine eyes" countries in order to prevent your traffic from being collected. It doesn't matter where in the world the server you're connecting to is located, all internet traffic is recorded.

It may be illegal to do such surveillance in your region, but most adversaries with the capability to do so don't abide by the law.

That is why you should be using end to end [very strong] encryption for everything you do.

If you're using any plaintext protocol on any server in the world, someone can read it if they know to look for it.

With very strong encryption (along with good keys/passwords), brute force will take such a long time that is becomes infeasible. Keep in mind that quantum computers will soon become a thing, which can be used to break encryptions once thought secure. Fortunately, post-quantum cryptography is already a thing -https://github.com/vscrypto/openssl-ringlwe

 

Cool. I was focusing more on the point in Air Staff communicating more frequently about the topic in general, so as to prevent FUD. As well as the "principle" in that while Airs setup is indeed superb, who knows where such laws will lead, if unopposed . Guess we just misunderstood each other haha. Nice post.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

I love this board precisely because we can have civil discussions about privacy related matters.  You guys are awesome.  Thanks for not getting offended, Ricnvolved1956, because I certainly meant no offense.

 

Oh, and your "little act of defiance" is awesome.  The more of us who do this (use AirVPN) the more anonymous we all are.  It's pretty cool to think about it like that.  The more this catches on, the less useful any single data point is.

Share this post


Link to post

"The more of us who do this (use AirVPN) the more anonymous we all are."

<p>

The reports recently of the proposed new Internet laws in Canada seem to explicitly include VPNs in their scope.

<p>

What surprises me a bit is not much evidence on these forum pages of users from the english speaking "educated elites"/students/etc which western governments should sympathize with - in places like Turkey, Egypt, Hong Kong, Pakistan, Kazakhstan etc that are threatened by elements in their governments.

<p>

Also a lot of the metadata collection captures not only individual personal behaviour, but also commercial and business contacts, relations and staff activities which in an internal database would be at least "commercial in confidence". Some staff need to be mobile and secure communications in airports, coffee shops, bars, etc. This provides more incentive for metadata to leak out to anyone paying an "information broker" or interception of emails etc by insiders.

Example: http://www.smh.com.au/business/your-mobile-phone-records-and-home-address-for-sale-20161116-gsqkwe.html

<p>

It is undesirable that VPN users can be demonized as just bittorrent pirates and "hackers" and criminals and anarchists.

Share this post


Link to post

serenacat,

 

Not really sure what you are trying to say.  I was addressing spying enabling statutes.  Laws giving governments the thumps up to log and database what people are doing on ISPs.  AirVPN knows that there is no local logging occurring at their machine.  Additionally, the connections coming INTO the machines from the Clients are encrypted.  The connections going OUT of the machines are not encrypted, unless the user is smart enough to be using HTTPS/SSL (or similar means).

 

So if a government agency, the data center's ISP, or any other downstream element is snooping AirVPN's outbound traffic, they will be able to clearly see that the server is not being used to merely pirate torrent content.  

 

I don't think anything you said negates my assertion that the more people are connected to AirVPN's servers the more anonymous we all are.  In fact, you points may even cause my assertion to have more meaning.  The more people that are just "routinely" connected to VPNs just for privacy reasons, and not for task-specific reasons (like torrenting), the more legitmate VPN use appears.  When an aggregate analysis of why any given VPN server is being used results in 80% mundane traffic and 20% torrenting/hacking, I can't imagine that's much different than the use-case scenarios of any given ISP's client servers.

Share this post


Link to post

I think if you read both our final paragraphs we are in agreement.

 

It is obscure how the Canadian government would implement their proposed laws, often politicians spout nonsense technically. Some may just be parroting stuff from IT marketing and lobbyists after big kickbacks from big sales of IT services etc for "big data", and bureaucrats after bigger power and payscale.

 

One can wonder about mandatory blacklists of IP addresses as implemented in the UK, or blockades by payment providers such as PayPal, Visa, etc.

 

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...