Jump to content
Not connected, Your IP: 52.90.40.84

InactiveUser

Members2
  • Content Count

    214
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    28

Posts posted by InactiveUser


  1. Yes it is a great tool, been using it myself too. Although AppArmor/SELinux can do all of that (and more) and are more tightly integrated/preinstalled in many Linux distros, I find firejail to be much easier to configure.

     

    Any firejail user should definitely spend some time to fully understand how to use the profiles in /etc/profile/firejail and how to customize them. Perhaps one of the most useful features: limit filesystem access.

    Remember the recent Firefox PDF exploit that allowed malicious websites to read and upload arbitrary files from your computer?

    Firejail could have protected your documents:

     

    blacklist ${HOME}/Documents
    

     

    You still want Firefox to access your nested "Screenshots" folder?
     

    noblacklist ${HOME}/Documents/Screenshots
    

     

    It's that easy!


  2. That is a good question. It really depends. You can either buy them from fixed-rate exchanges, or buy them more or less directly from other people, on a trading market.

    Fixed-rate exchanges will charge a significant premium (10-25% is not uncommon) but may offer convenient and instant payment methods (credit card, online banking, pre-paid vouchers).

    Trading on markets will yield better prices because deals are made person to person, with the market only taking a small cut (usually < 1%).
    Downside: You will have to register and verify your bank account first. Some markets may also require ID.

    I would recommend to do some research, starting with this list.


  3. flat4 downloaded a piece of Free Open Source Software. All of a sudden, flat4 is able to make and receive free of charge, international, instant payments in a decentralized, transparent system. No bank, no government, no company able to tell flat4 who they can or cannot deal with, or for what purpose. I think that's super awesome.

    Compare that to the world's most popular method of online payments:
     

    Brian and Jan Ficht had their PayPal Canada account frozen after they used it to pay for a three-week educational tour of Cuba's urban agriculture practices.

     

    (CBC News)


    Sure, Bitcoin doesn't offer perfect privacy or anonymity. Point taken. But you can't expect the first iteration of a totally new technology to solve all problems at once. Alternative crpytocurrencies with a focus on privacy are already in the works:
    Zerocoin/Zerocash
    Monero

    Dash

    We will get there.


    flat4, what do you mean by "they're expensive to buy"?
    You don't have to buy a full bitcoin all at once! 0.1 BTC would cost you about $31 at this moment.


  4. So, you seem to be leaking through both WebRTC and DNS.

     

    uBlock Origin, an addon available for both Firefox and Chrome/Chromium, can stop the browser from leaking IPs through WebRTC:

     

    yZLci8H.jpg

     

     

     

    Fixing the DNS leak depends on how you connect to AirVPN. Are you already using the AirVPN Eddie client software? What's your operating system?


  5. It's totally okay and safe to use Tor with AirVPN. The note you read means that you should refrain from running Tor exit nodes on AirVPN servers, but you don't have to concern yourself with that as a mere Tor user.

     

    Context:

    A Tor exit node is a Tor client that allows incoming connections from other Tor clients, and allows these connections from other Tor users to exit the Tor network to the internet. It's noble and obviously very necessary to run Tor exit nodes, but it's not something you should do on a VPN service, because it negatively affects all the other VPN users on that server.

    For example, IRC networks such as Freenode do not allow Tor, but generally allow VPN connections. If somebody ran a Tor exit node on a VPN server, this server would also become blacklisted. Note that merely using Tor on a VPN server cannot have these negative side effects. They only occur if you configure your Tor client as an exit node.


  6. You can argue all day about which piece of AV software boasts the best detection rate, but that's beside the point. Detection rates and test results don't tell you anything about the software's code quality. Kaspersky was mentioned in this thread, so let's ask Google's security team how they feel about Kaspersky:

     

    Sep 4, 2015:
    "A remotely exploitable stack buffer overflow in ThinApp container parsing"

     

    Sep 7, 2015:
    "remote, zero-interaction code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus. I've tested Windows, Linux, Mac and a product using the Kaspersky SDK (ZoneAlarm Pro), all were exploitable."

    Sep 9, 2015:
    "arbitrary stack-relative write, remotely exploitable for remote code execution as NT AUTHORITY\SYSTEM"

    Sep 10, 2015:
    "unpacking remote memory corruption, exploitable for remote code execution as NT AUTHORITY\SYSTEM on all systems using Kaspersky Antivirus."
     

     

    Fun fact: There's a compiler flag /GS (Buffer Security Check), which would prevent a lot of these exploits. Visual Studio even enables this by default. Kaspersky however opts to disable this flag for performance or coding convenience reasons.

     

     

    Time and time again you see AV "security" products do more harm than good, introducing new security issues rather than preventing them.


  7. Hi maxiel, I tried my instructions on a phone that doesn't have an SD card slot, and I didn't have to modify any instructions.

    An SD card is not required; Android usually maps the /sdcard/ directory to the main directory of the internal storage if there's no sdcard slot.

    I'm not an Android expert, so I don't know if all Android versions and devices work that way.

    In any case, when transferring the AirVPN folder to your device, you're free to choose any writable location on your device - it does not have to be /sdcard/.

     

    (analog to step 6)

    • Copy the AirVPN folder to your Android device, to a location of your choice.
    • Figure out the exact path name of that location, perhaps by browsing to it in a file manager. Make note of that path and modify step 9 accordingly:

    (analog to step 9)
     

    cd
    mv /some/other/Android/path/AirVPN/* .
    

  8. Cannot reproduce your problem, sorry.

    As to why you're experiencing "crawling internet speeds", I don't know, my first guess would be too many concurrent connections.

    I do not use the BitTorrent protocol much myself, neither with or without VPNs, so anyone else's input would be highly appreciated.

     

    You're certainly not compromising privacy by "leaving the listening port closed in Transmission". Just leave it at that especially if speeds are already satisfactory.

     

    EDIT:

     

    is this necessary if I have network lock enabled all the time: https://airvpn.org/t...linux-iptables/

     

    No, it's meant as an alternative for non-Eddie users who use OpenVPN directly.


  9. Well, I don't use Netflix so it's the OP's turn to try this out. If Air's DNS is enough to get you into Netflix, then (and only then) my solution would work.

    My solution will obviously not enable you to use Air's internal routing system, because, well, you aren't routing your traffic through Air.

    All I do know for sure: This is the only way of using Air's DNS without also using Air's VPN for the actual traffic.


  10. You can't use Air's DNS from outside the VPN.
    However it should be possible to connect to the VPN, but then use a modified routing table that doesn't route any IP traffic through the VPN.

     
    Do you AirVPN's Eddie client or do you use OpenVPN directly?
    If you use Eddie (2.10.3), try this:
    Go to Preferences, Routes and change "Not specified routes go" to "Outside the tunnel".

     

    whgnSHg.jpg

    Caution: This does exactly what it says - you would be resolving DNS requests via Air's DNS, but any traffic to the resolved IPs would not go through the VPN.

     

    To check if it's working, connect to any server and then check your connection status at the bottom of the AirVPN website. You should get "Not connected", despite your established VPN connection.

     

    Don't forget to revert this setting to "Inside the tunnel" as soon as you want to switch back to regular VPN routing. Always verify that your changes have the intended effects, perhaps using IPLeak.net.


  11. I'm guessing this uPnP box just adds a port forwarding rule to forward the listening port through my router - but how does this reduce my privacy?

     

    Well if you expose a torrenting port on your router, through UPnP or manually, you allow peers to connect through your router, obviously exposing your router's IP.

    Now, if you keep Network Lock enabled, that should prevent actual incoming connections reaching your torrenting app, but then there's also no reason to have any sort of forwarding on your router in the first place.

     

    Also remember that UPnP does allow for way more than just port forwarding, it's a whole set of features and protocols. zhang888 claims that one way for WebRTC to get your router's WAN IP is actually UPnP. This answer on superuser suggests that you can in fact do that with UPnP.

    I don't think UPnP should be enabled on any router.

     

     

    why would they even see my real IP?

     

    You stated that you enabled UPnP and saw an instant increase in peers and speed. If that increase is in fact related to you enabling uPnP (and not just random), it means that UPnP worked and peers successfully connected through your router (= your real IP).


  12. checked the "Use UPnP or NAT-PMP port forwarding from my router" box again, and my download speed is wayy up and I have lots of peers on my downloads. So I'm not sure what I am doing wrong. The weird thing is - when I go to my router there are no port forwarding rules there, so I'm not sure where the rules are being added when I check that box.

     

     

    1. Don't check the uPnP box if you use a VPN and want to achieve about torrenting privacy.

     

    As to why it's significantly faster than VPN portforwarding, I can think of two potential reasons:

    - has VPN portforwarding been set up correctly? Does Transmission's "Test Port" feature yield "Port is open" or "Port is closed"?

    - maybe peers find your real IP more attractive than your VPN IP. Some peers use extensive IP blocklists, often banning whole IP blocks associated with businesses, with the goal of only allowing residential providers. I guess VPN IPs may fall victim to some of those lists.

     

    2. UPnP is meant to be dynamic, automatic and temporary. I guess that explains why some routers may not list UPnP-forwarded ports together with manually forwarded ports. Maybe check some other areas of your router's webinterface.


  13. @Zaroad:

     

    before running "./nunki", did you run "cd" to jump into Terminals home directory? That's where all the stunnel files should be.

    After running "cd", the command "pwd" (print working directory) should output this path: /data/data/jackpal.androidterm/app_HOME

    nunki and all the other stunnel-related files shoud be in there, you can check with the "ls" command.

     

    Speed issue: I've noticed slow speeds as well, not as terrible as yours, but a very noticeable decrease. Try a server closest to you, but I think there might be something else going on: stunnel does not tax my phone's CPU much at all. Considering that you can easily get 50Mbit/s stunnel+OpenVPN throughput on an AC68 router, there must be some optimization problem with stunnel's Android build.

    I'll try to look into it on Sunday.


  14. Nissemus, torrent speed is all about how many seeding peers there are and how many of them you can see. There are two major ways to discover peers:
    - centralized torrent trackers
    - decentralized DHT

    VPN users often find themselves blocked from torrent tracker servers, which makes it even more important to ensure that DHT works well. I haven't done any speed tests myself, but it makes sense that you may get better speeds by being a reachable DHT node instead of a passive one. Some other P2P networks even require you to be reachable. I usually don't forward ports for torrenting myself, but poorly seeded torrents definitely seem to perform worse than on port-forwarded machines.


  15. No, it doesn't depend on your tin foil hat, it depends on principles.

     

    Let me ask you this, can you truly trust AirVPN?

     

    Well, I "trust" AirVPN slightly more than my internet providers, but that's about it. I don't foster any false belief in VPN providers, where did I give this impression? I recommend Tor instead of VPNs every chance I get.

    Responding point by point:

    1) I don't care where your OpenVPN Connect originally came from. It's distributed as proprietary software on a proprietary platform, containing who knows what, bound to all kinds of crazy clauses and restrictions. I don't use proprietary apps or proprietary platforms. I know exactly where my OpenVPN is coming from - compiled from source myself or compiled by someone who I have solid reason to trust. Give me one reason why I should trust Apple's platform with that task. Especially given all the recent hoopla about mandatory government crypto backdoors. iOS app installations are bound to your account. If you're personally targeted, it's very easy to deploy backdoored versions exactly and only to your account. This alone should be reason enough to avoid any sort of personalized app store.

    2) "who cares" means you don't care. I do. If I use inherently untrustable applications on top of my VPN usage, everything I did was for nought.

    3) In today's age, everyone is a suspect. Just talking about VPNs or Tor makes you a suspect. If your government cares about Tor, they also care about VPNs - see China. We weren't talking about avoiding being a suspect, but avoiding OpenVPN-blocking firewalls. Tor may sometimes be a way to accomplish that. I wasn't saying anything more or anything less than that.

    4) Not sure what you mean by "reliable". Yes, AirVPN has been reliable for me. Mobile networks have not and that's why I use Tor on mobile instead, because in my experience, Tor handles network hiccups more gracefully than OpenVPN. Nothing more, nothing less.

    5) True. Where exactly did I claim otherwise? Who torrents on a mobile data budget?

    6) Agree, exactly what I said. Jailbreaks eek out a little bit of configurability on a hostile platform, at the cost of security. And at the cost of exploring alternative platforms instead.

    7) I know about their audit. Great they fixed bugs, but what about all the security holes since freakin' March this year? I mean, great, they had their source code audited - but how do you know the audited source code equals your binary obtained from the app store? You don't and you can't. Also, the Onion Browser developer might be in contact with Tor Project, but they certainly are not involved. On Tor Project's site, there is an official reference to Orbot. None to Onion Browser or iOS (for good reason). Onion Browser is in no way condoned, recommended or referenced to by Tor Project.

    8) Anonymity on mobile platforms is a hard problem to solve. That's why you haven't seen an offcial mobile version of Tor Browser. That's why you will never see an official version for iOS, especially if you take into consideration the licensing problems I mentioned. Guardian Project's Orfox for Android is on its way, though.


  16. I'm not sure what exactly you're trying to do, so my apologies if my answers don't go into the right direction.
     

    I do currently have a dynamic DNS of some sort set up on my raspberry pi - I remember I used inadyn and freedns.afraid.org - but I set it up a while ago and I don't fully understand it. Right now it is just pointing at my home public IP.

    Would I be able to do both - my home network with and without vpn? How would that work though, because isn't my public IP different with each server I connect to? So if I am connected to two servers, which one would the dns point to?

    DNS entries can easily point to more than one IP address, that's not a problem.
    Although an unusual setup for Dynamic DNS, it would certainly be possible to set up.

    However, it would probably be unwise to have the same DNS entry point to both your public home IP and your current AirVPN IP. If you do that, you could just as well not use AirVPN for your purpose at all.

    Why would you want your DNS entry to resolve to both your home IP and the AirVPN IP? Wouldn't it be sufficient to be reachable just on the AirVPN IP?

    The way I see it, all you need to do is run a DDNS client like inadyn or ddclient on whatever device you want to be reachable: As an example, if you want your Transmission interface to be reachable on 2Girls1CPU.afraid.org:12345, you need to run inadyn/ddclient (configured to update the IP for your 2Girls1CPU.afraid.org account) on whatever machine runs Transmission.
    The client will constantly update the DNS record to that machine's current external IP, regardless if that's your home IP or an AirVPN server. If an AirVPN connection is established on that machine, the AirVPN IP will be the only one in your DNS record, unless you do some extra work, but I don't even see why you would want another IP to show up there.


  17. Br0wnb3ar, the idea is to hide the OpenVPN connection (which is necessary to thwart firewalls that block OpenVPN, but may allow SSL, SSH or some configurations of Tor).

    Your suggested approach would not accomplish that.
    Not to get too far off-topic, but I would like to point out a few other problems:

    1. iOS

    • While iOS might very well have better security design than other mobile platforms, it is a very hostile environment for Free Open Source Software. It's impossible to achieve any level of reliable, verifiable privacy or anonymity without FOSS.
    • iOS is a very hostile environment for tinkerers. You do it the Apple Way™ or you don't do anything at all. I demonstrated that it's possible to use stunnel + OpenVPN on stock, non-rooted Android, using nothing but FOSS. It's not at all possible on iOS. You might be able to hack something together on a jailbroken iOS device, but that would mean:
      • resorting to outdated iOS versions (jailbreaks are unlikely to be available for the most recent version)
      • trusting a 3rd party to exploit a root-level security vulnerability on your device (that's how jailbreaks are installed!)
      • for those two reasons alone, I don't think jailbreaks can be considered a viable solution, especially for privacy-conscious people. They rather compound the problem.

    2. iOS Onion Browser (assuming you mean this one, but my points would apply to any other app as well)

    • How do you know this one to be better (or more trustworthy) than its competitors? How are you able to verify it actually contains an unmodified, un-backdoored Tor release? You can't do any of that on a locked down, DRM-encumbered, proprietary platform.
    • Tor is released under the GPL license. As mentioned above, GPL software cannot (legally) be distributed in Apple's appstore. The ramifications go beyond legal rhetoric, they are in fact very practical: By distributing through Apple's store, the app's developer restricts the users' abitilies to freely use, read, modify and redistribute Tor as intended by Tor Project and the GPL license.
    • The app has last been updated on March 31, 2015, which means the included Tor and OpenSSL versions are woefully out of date.

     
     
    Back to the original topic: I agree with eyes878, VPN-over-Tor on mobile is probably not a very usable setup, and here is why:

    • Tor on mobile works well. It handles constantly changing network conditions (or your device going to sleep) reasonably well and quickly re-uses its circuits or opens new ones as soon as connectivity is restored.
    • a VPN will, in my experience, take just that little bit longer to re-establish the connection each time. This will, no doubt, be compounded if you tunnel it through Tor.

    For this reason, I prefer to exclusively use Tor on mobile devices, unless I know connectivity to be very reliable, in which case I might use a VPN exclusively or Tor-over-VPN.


  18.  

    Is it possible to setup some kind of DNS that would point ot whatever IP I am assigned each time I connect to a server through AirVPN?

     

    @2Girls1CPU

     

    Hello,

     

    we provide a DDNS which is already included in any AirVPN account subscription and that does exactly what you're asking for:

    https://airvpn.org/topic/9314-what-is-dynamic-dns

     

    Kind regards

     

     

    I was tentative to mention AirVPN's DynDNS feature because of the prominent "Warning: DDNS doesn't work correctly with two o more connections." I suspect most users will be using two or more connections.


  19. The con "VPN provider is able to snoop on your traffic" means packets are not encrypted between VPN and the world, including source and destination information?

     

     

    Right, a VPN only provides an encrypted channel between you and the VPN server, but it does not somehow encrypt the packets going through that channel: If you send unencrypted data into a VPN, that's how they will go out to the world.

     

    Whatever you use as an exit point for your traffic will be in a position to:

    • observe where you're going to
    • observe who you are (only true for a direct VPN connection; not true for VPN-over-Tor; virtually not true for Tor itself)
    • read the contents of unencrypted connections (HTTP, FTP, Telnet, old email servers not using TLS, etc.)
    • modify the contents of unencrypted connections (change DNS requests, change website content, inject ads, inject malicious content)
    • to some extent, attack encrypted connections (downgrade attacks; SSLStrip; replace valid with rogue certificates)

    This is true for both VPNs and Tor exit nodes (if used as your exit point).

    An argument can be made that using a VPN as your exit point is potentially more dangerous than using Tor as your exit point:

    A VPN service is controlled by a single entity, whereas Tor nodes are controlled by a number of different entities.

     

    VPN as exit point:

    If the VPN service were to act maliciously (or get compromised), all your traffic would be affected all the time (fixed exit point).

     

    Tor as exit point:

    If some Tor exit nodes were to act maliciously (or get compromised), some of your traffic would be affected some of the time (constantly changing exit points)

     

     

    Touching on some of your other questions:

     

    No, "Tor over OpenVPN" and "Tor over Eddie" don't refer to different things: Eddie is just AirVPN's custom graphical interface to OpenVPN. In this context, VPN/OpenVPN/AirVPN/Eddie will often be used interchangeably.

     

    Yes, unencrypted traffic like HTTP should always be considered a (potential) security vulnerability and (definite) privacy issue.


  20. More or less, although "Tor over VPN" is more about hostile VPNs, not hostile ISPs. Both Tor and VPNs can already be useful on their own to combat hostile ISPs.

    I have previously compiled a list of pros and cons for "Tor over VPN" vs "VPN over Tor".

     

    I'm not sure there are any striking weak points in your hypothetical, but the significant "cons" I list in my other post still apply.
    As far as Bitcoins are concerned, you will probably find that many of the popular methods aimed at erasing Bitcoin's traces don't hold up to scrutiny.
     

×
×
  • Create New...