Jump to content
Not connected, Your IP: 3.235.75.174

sheivoko

Members2
  • Content Count

    214
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    28

Reputation Activity

  1. Like
    sheivoko got a reaction from Casper31 in windows 10   ...
    I'm a bit surprised to see Win10 discussed at all in this forum.
    I understand that some people might not be in a position to abandon Windows but why the rush towards Windows 10? I mean, have you read their new privacy policies?

    Before you say, "yeah, all those new features suck, I'll just turn them all off" - well, you can't:
    Unless you have the "Enterprise" edition, you can't opt out of "diagnostic and usage data" collection.
    https://i.imgur.com/iHge6RJ.jpg
    https://twitter.com/adrianchm/status/626734160032477184
     
    Before you say, "oh, but you can run tweak-tool XYZ or change this registry value, that'll turn it off completely" - how do you know? It's proprietary software. You're not in control whatsoever. Also, it only takes a small Windows update - that you can no longer opt out of either - to revert your manual changes. Why would they want to do that? Well, to quote Microsoft, data collection is now "vital to the operation of Windows", so you really have no reason to believe that your manual changes will stick.

    I'm not sure what else Microsoft would have to do to make Windows look more like spyware than it already does. I really don't.
  2. Like
    sheivoko got a reaction from rainmakerraw in More Censorship coming to the UK!   ...
    You need not worry - DRIPA will be back soon, because DANGER, DANGER, TERRORISM! Thousands of lives at risk after High Court rules snooping powers unlawful
     
    One particular phrase piqued my spidey senses:
     
     
    Oh, I see! You say you need all this access to solve crime and prevent terrorism, but you also use it for "non-crime enquiries"?
    I have no further questions, your honor
  3. Like
    sheivoko got a reaction from rickjames in The Cold Hard Truth Behind VPNs? - Whonix Blog article   ...
    They are relevant, but in agreement with rainmakerraw, I would say they're poorly argued:
     
    1. Whonix blog's target audience must surely already know that you can't equate VPN providers with anonymity networks.   
     
    2. I think it's indeed a safe assumption that many VPN users have a "false sense of security", but it's hypocritical to then talk about "anonymity guarantees of Tor". Tor Project can't, never has, and never will guarantee anything. The use of the word "guarantee" suggests a false sense of security - which, ironically, was supposed to be the author's main argument. Certainly, Tor has many valuable properties that VPNs can't offer, but not a single one of them is "guaranteed" - the author might want to remember what happened to Silk Road 2:
     
    Tor Project security advisory:
     
     
    Later that year, FBI/DHS affidavit:
     
     
    Coincidence? I think not!
     
    3. Whether or not VPNs make sense for someone depends on their threat model.
    Tor is excellent but not the right tool for every job - or every person.
  4. Like
    sheivoko reacted to rainmakerraw in The Cold Hard Truth Behind VPNs? - Whonix Blog article   ...
    Yeah, because the identities of TOR users haven't routinely been compromised by three letter agencies via TOR bundle exploits, redirecting target traffic to malicious nodes, remote code execution etc...
     
    OpenVPN has its limits, especially publicly available services from anonymous individuals/corporations/entities. After all, you only have the word of AirVPN - for example - that they are 'privacy hacktivists' and not actually just another node in the NSA's swathe of operations. There are no names, addresses, offices and transparency operations to audit and you only have the word of the provider that they are who they say they are, and that they provide the non-logging service that they do. In fact I'd be amazed if the NSA et al. haven't already made it a mission objective to establish a hugely popular VPN service to amass as much plain text data foreign and domestic citizens would rather stayed private for whatever reason. Given the apparent concern over encryption and 'national security' it would seem rather backwards to not do such a thing - especially with an effectively unlimited budget and people willing to actually pay you to subsidise the operation(s)!
     
    Some providers, such as PIA, allege to not only keep no logs but to maintain a 'zero knowledge network. They say they don't even know if or when users are connected and have no meaningful way to separate out user identities, especially retrospectively. Other providers such as Proxy.sh have stated they keep no logs but are able and willing to live monitor (amongst other things) to identify serious breaches of their ToS to identify (and if necessary report) those users responsible. 
     
    "You pays your money [or not] and makes your choice", as they say. For me OpenVPN is the superior option, especially if further obfuscated via TOR and/or alternative methods. That blog seems like nothing more than an ill formed, unreferenced fanboyism to me. But what do I know?
  5. Like
    sheivoko reacted to snaggle in WITCH? — VPN and proxy detector. Can detect OpenVPN cipher, MAC and compression usage.   ...
    Hi all,
    I have just stumbled across http://witch.valdikss.org.ru/ and https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413
    I run Eddie on Arch Linux using UDP over port 53 - mostly when I visit the first link the Witch script ran and correctly confirmed this - all but the port number. This script worked well when I connect using SSL over port 433.
    Is there a way to configure Eddie to fool Witch ?
     
  6. Like
    sheivoko reacted to Staff in Blocking all non-VPN traffic (Windows)   ...
    Hello,
     
    first of all, if you just want the click-and-go solution just use the Windows Firewall and click "Network Lock" button on our Windows client Eddie, which is also free and open source. See here: https://airvpn.org/topic/12175-network-lock
     
    Eddie implements Network Lock even for OS X and Linux, of course.
     
    These guides come from the community and we are very happy about them because they provide alternative, community-driven solutions, instead of centralized solutions proposed by ourselves (which are anyway available).
     
    We kindly ask you to get documentation before you write in our public forums. You will contribute to forum cleanness and readability and will avoid to write foolishness like the quoted sentence.
     
    Kind regards
  7. Like
    sheivoko got a reaction from rickjames in airvpn vs Private Internet Access how do compare to them ?   ...
    This thread is at risk of getting out of hand, so I'll keep my arguments as concise and neutral as possible:

    1. Asking for an unbiased comparison in one of the competitor's forums is not ideal. This sort of topic is better discussed on a neutral platform.

    2. No matter which VPN provider you choose; no matter which jurisdiction they're in, there are a few constants:
    they're all companies, compelled to make money and abide law   you have to trust them: you're unable to get an inside look of their operation (which you would need for a proper evaluation) which means: some aspects of your evaluation will be based on opinion/experience/conjecture, but not fact 3.
     
    Sure, three laws in particular:
     
    18 U.S. Code § 3123 - Issuance of an order for a pen register or a trap and trace device:
     
     
    Also, 18 U.S. Code § 2703 - Required disclosure of customer communications or records.
     
    And, most worrying, 18 U.S. Code § 2709 - Counterintelligence access to telephone toll and transactional records (commonly known as "National Security Letter" / gag order):
     
     
    While these laws are designed to subpoena individual customer records, their application will likely and regularly affect the whole customer base. Remember Lavabit:
    "The service suspended its operations on August 8, 2013 after US government ordered it to turn over its Secure Sockets Layer (SSL) private keys" (affecting all Lavabit users).

    4.
     
    They only publish warrants they're allowed to publish, see 18 U.S. Code § 2703. Companies are much more likely to behave like Hushmail (silently comply) than to behave like Lavabit (resist and be forced to close shop). There is no middle ground.
     
    5. I am convinced that European Union data protection laws provide a better environment for VPN providers.
     
    6. I am not convinced that it makes a huge difference to be located outside of the US. It would be a fallacy to assume "US = bad, Non-US = good":
    similar laws exist in all jurisdictions governments tend to ignore legal restraints anyway
  8. Like
    sheivoko got a reaction from rickjames in airvpn vs Private Internet Access how do compare to them ?   ...
    This thread is at risk of getting out of hand, so I'll keep my arguments as concise and neutral as possible:

    1. Asking for an unbiased comparison in one of the competitor's forums is not ideal. This sort of topic is better discussed on a neutral platform.

    2. No matter which VPN provider you choose; no matter which jurisdiction they're in, there are a few constants:
    they're all companies, compelled to make money and abide law   you have to trust them: you're unable to get an inside look of their operation (which you would need for a proper evaluation) which means: some aspects of your evaluation will be based on opinion/experience/conjecture, but not fact 3.
     
    Sure, three laws in particular:
     
    18 U.S. Code § 3123 - Issuance of an order for a pen register or a trap and trace device:
     
     
    Also, 18 U.S. Code § 2703 - Required disclosure of customer communications or records.
     
    And, most worrying, 18 U.S. Code § 2709 - Counterintelligence access to telephone toll and transactional records (commonly known as "National Security Letter" / gag order):
     
     
    While these laws are designed to subpoena individual customer records, their application will likely and regularly affect the whole customer base. Remember Lavabit:
    "The service suspended its operations on August 8, 2013 after US government ordered it to turn over its Secure Sockets Layer (SSL) private keys" (affecting all Lavabit users).

    4.
     
    They only publish warrants they're allowed to publish, see 18 U.S. Code § 2703. Companies are much more likely to behave like Hushmail (silently comply) than to behave like Lavabit (resist and be forced to close shop). There is no middle ground.
     
    5. I am convinced that European Union data protection laws provide a better environment for VPN providers.
     
    6. I am not convinced that it makes a huge difference to be located outside of the US. It would be a fallacy to assume "US = bad, Non-US = good":
    similar laws exist in all jurisdictions governments tend to ignore legal restraints anyway
  9. Like
    sheivoko got a reaction from rickjames in Transparent Proxy   ...
    1. Whatever you read about proxies does not apply to VPNs, they operate in a different way.
    VPNs operate on data link / network layer, making it possible to:
    use them as a network tunnel for your whole internet traffic (that's how you use AirVPN!) access remote network resources (think of a company's intranet remotely accessed by employees via a VPN) Proxies on the other hand (at least the kind of proxy these websites are talking about), work on the application layer:
    configure a browser to establish HTTP connections through an HTTP proxy 2. There is no clear definition for the term "transparent proxy".

    Most common definition
    A proxy that's transparent to the user. The user has not configured a proxy but their connections transparently go through a proxy server at some point of the route. Such a proxy might be run internally by your ISP for caching purposes, for example to cache and speed up DNS requests.

    IPLeak.net's definition
    IPLeak.net is unable to determine whether your connection is going through a proxy - meaning if you're indeed using a proxy, it is "transparent" to IPLeak.net.

    xroxy's definition
    ... is not even worth talking about, it's a terribly incorrect website.
    What they mean by proxies "that provide anyone with your real IP address": Some HTTP proxies modify your HTTP headers to include your real IP in the "X-Forwarded-For" field.
    Again, you don't have to concern yourself with that, AirVPN's servers aren't HTTP proxies.
  10. Like
    sheivoko reacted to go558a83nk in About funding browser extensions   ...
    https is a joke?
  11. Like
    sheivoko got a reaction from FromtheWalls in Article: Popular VPNs leak data, don't offer promised privacy and anonymity   ...
    There have already been multiple threads about this. Staff statements here and here.
  12. Like
    sheivoko got a reaction from FromtheWalls in Article: Popular VPNs leak data, don't offer promised privacy and anonymity   ...
    There have already been multiple threads about this. Staff statements here and here.
  13. Like
    sheivoko got a reaction from rickjames in "The NoScript Misnomer"   ...
    I consider The NoScript Misnomer to be a very important article.

    By "exploiting" an entry on NoScript's whitelist, the author shines light on several pitfalls that not every NoScript user might be fully aware of:
    NoScript comes with a default, enabled whitelist. whitelists are inherently flawed, even more so if you don't even maintain them yourself if you use a security tool without fully understanding its operation and configuration, you lull yourself into a false sense of security blocking all malicious scripts is unrealistic - you will need to think about defense in depth and sandboxing I personally use NoScript in combination with uBlock Origin in its advanced dynamic filtering mode. I also sandbox applications like Firefox, Thunderbird, Pidgin using Firejail, a small application that provides a convenient interface to built-in Linux kernel features (seccomp, namespaces, caps).
     
    Ideally, I would be using Qubes OS for better isolation, but it's not like hypervisors are somehow magically flawless, either.
  14. Like
    sheivoko got a reaction from rickjames in DNS resolution for vpn servers running debian firewall   ...
    rickjames, thanks, that's a valuable hint: libnetfilter-conntrack3 is installed in my Mint VM (the package is part of a default Ubuntu 14.04, according to .manifest), but not in one of my minimal Arch installs - thus, no conntrack enabled there.
    conntrackd, contrack-tools are not part of any default Mint/Ubuntu/Fedora install. To my understanding, you only need those for interfering with or monitoring tracked connections, but not for the actual conntracking.
     
    Edit:
    ufw uses state-tracking as a fallback. On my conntrack-less Arch:
    iptables-save | grep state
    -A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m state --state INVALID -j ufw-logging-deny
    -A ufw-before-input -m state --state INVALID -j DROP
    -A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
     
  15. Like
    sheivoko got a reaction from rickjames in DNS resolution for vpn servers running debian firewall   ...
    All valid points, especially if OP already uses Eddie.
     
    One note about ufw/gufw and conntrack: even if you don't see it in the GUI(s), ufw does use conntrack by default:
     
    iptables-save | grep conntr
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
  16. Like
    sheivoko reacted to gizurr in DNS resolution for vpn servers running debian firewall   ...
    Thanks for that great information! I was actually able to limit the matches as you suggested by adding a 0-byte at the end of the pattern:
     
    -A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00|" --algo bm -j ACCEPT We can even get stricter and only allow requests of type A (a host address):
    3.2.2. TYPE values TYPE fields are used in resource records. Note that these types are a subset of QTYPEs. TYPE value and meaning A 1 a host address NS 2 an authoritative name server MD 3 a mail destination (Obsolete - use MX) MF 4 a mail forwarder (Obsolete - use MX) CNAME 5 the canonical name for an alias SOA 6 marks the start of a zone of authority MB 7 a mailbox domain name (EXPERIMENTAL) MG 8 a mail group member (EXPERIMENTAL) MR 9 a mail rename domain name (EXPERIMENTAL) NULL 10 a null RR (EXPERIMENTAL) WKS 11 a well known service description PTR 12 a domain name pointer HINFO 13 host information MINFO 14 mailbox or mail list information MX 15 mail exchange TXT 16 text strings Source: http://www.ietf.org/rfc/rfc1035.txt 
    By including those 2 bytes, which results in the following line for /etc/ufw/before.rules:
     
    -A OUTPUT -p udp --dport 53 -m string --hex-string "|03|vpn|06|airdns|03|org|00 00 01|" --algo bm -j ACCEPT Edit: Format
  17. Like
    sheivoko reacted to rickjames in DNS resolution for vpn servers running debian firewall   ...
    Just download the config files with advanced + Resolved hosts in .ovpn file checked. Then no resolution is needed at connection time.
     
    However It sounds like you're using the air client. If that's the case the network lock feature will make rules for you.
    I only briefly looked at that firestarter guide but I don't see connection tracking in there anywhere. The air client uses basic connection tracking / states ect. Even the basic version is better than nothing.
     
    I won't pretend to be familiar with these gui's as I'm a big believer in less is more. But after seeing the rules the air client makes, I wouldn't hesitate to run it. My network environment just won't work with it. If I could use it I would, if only for simplicity.
  18. Like
    sheivoko reacted to zhang888 in DNS resolution for vpn servers running debian firewall   ...
    I am not really sure why to do all these workarounds, when you can call an easier solution.
    First, {country}.vpn.airdns.org does not just return a random server, it returns the best server in each
    300 seconds timeframe. I believe the DNS backend that Air uses, has some sort of load balancing that
    queries the API in the backend.
     
    Now let's get to the API.
    iptables allows custom scripts to be executed, which means you can query the API directly to find the best
    server. Under some circumstances, it might even find a better server for you than the dns resolution.
    Those circumstances are when you are quering some ISP DNS servers that might cache records and so on.
  19. Like
    sheivoko reacted to rickjames in DNS resolution for vpn servers running debian firewall   ...
    Thank you.
    I was unaware it had that capability.
     
    Does it install conntrack conntrackd libnetfilter-conntrack3 by default? I don't have any machines running ufw atm. Sorry for being lazy lol. Its just easier to ask than setup a vm.
  20. Like
    sheivoko got a reaction from rickjames in DNS resolution for vpn servers running debian firewall   ...
    rickjames, thanks, that's a valuable hint: libnetfilter-conntrack3 is installed in my Mint VM (the package is part of a default Ubuntu 14.04, according to .manifest), but not in one of my minimal Arch installs - thus, no conntrack enabled there.
    conntrackd, contrack-tools are not part of any default Mint/Ubuntu/Fedora install. To my understanding, you only need those for interfering with or monitoring tracked connections, but not for the actual conntracking.
     
    Edit:
    ufw uses state-tracking as a fallback. On my conntrack-less Arch:
    iptables-save | grep state
    -A ufw-before-input -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m state --state INVALID -j ufw-logging-deny
    -A ufw-before-input -m state --state INVALID -j DROP
    -A ufw-before-output -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A ufw-logging-deny -m state --state INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
     
  21. Like
    sheivoko got a reaction from rickjames in DNS resolution for vpn servers running debian firewall   ...
    All valid points, especially if OP already uses Eddie.
     
    One note about ufw/gufw and conntrack: even if you don't see it in the GUI(s), ufw does use conntrack by default:
     
    iptables-save | grep conntr
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
  22. Like
    sheivoko reacted to Anonymous_13 in [Release][Opensource] Show IP and country flag in tray icon   ...
    This software shows the IP and country flag in tray icon. At launch and every time the network gets changed (availability or new address).
    ​This is useful for those who are not using the AirVPN Client (for example when you entered your VPN in your router) but still want to be able to quickly see if the VPN is active.
    It's poorly written in VB.NET. You can polish it if you want.

    ​Runs in windows computer only.
    ​You need .NET framework 4.5 or higher to use this software and Visual Studio 2013 or higher to compile the source code. Please see 'LICENSE.TXT' as this software uses third party icons.
     
    Changelog:
    [1.1]
    + Uses MaxMind Geo2IP OFFLINE database to resolve the country. Please take care of the updated license.txt about thirdparties. For updates of the database visit http://dev.maxmind.com/geoip/geoip2/geolite2/
    + Added a close button to context menu
    + Left click on icon shows current IP and country
    ! Network change event was not fired when for example vmware network adapters are installed. It has been replaced by a timer checking every 2 seconds of network adapter changes.
    - Removed whatismyipadress, removed ip2country
     
    Due to AirVPN file size restriction you need to download the 1.1 executable from an external site (or download the source from here and compile it by yourself):
    http://www11.zippyshare.com/v/1k6ZlRQ0/file.html
     
    CRC32: ABE78AD3
    MD5: 6EB04D609FDB256D97E92C7305A9B9D5
    SHA-1: EEAE81144A01DB444B34A6B919557D46DBFEF27B
    IPCheck_source.zip
    IPCheck_executable.zip

    IPCheck_sourcev1.1.zip
  23. Like
    sheivoko got a reaction from rickjames in "The NoScript Misnomer"   ...
    I consider The NoScript Misnomer to be a very important article.

    By "exploiting" an entry on NoScript's whitelist, the author shines light on several pitfalls that not every NoScript user might be fully aware of:
    NoScript comes with a default, enabled whitelist. whitelists are inherently flawed, even more so if you don't even maintain them yourself if you use a security tool without fully understanding its operation and configuration, you lull yourself into a false sense of security blocking all malicious scripts is unrealistic - you will need to think about defense in depth and sandboxing I personally use NoScript in combination with uBlock Origin in its advanced dynamic filtering mode. I also sandbox applications like Firefox, Thunderbird, Pidgin using Firejail, a small application that provides a convenient interface to built-in Linux kernel features (seccomp, namespaces, caps).
     
    Ideally, I would be using Qubes OS for better isolation, but it's not like hypervisors are somehow magically flawless, either.
  24. Like
    sheivoko got a reaction from rickjames in "The NoScript Misnomer"   ...
    I consider The NoScript Misnomer to be a very important article.

    By "exploiting" an entry on NoScript's whitelist, the author shines light on several pitfalls that not every NoScript user might be fully aware of:
    NoScript comes with a default, enabled whitelist. whitelists are inherently flawed, even more so if you don't even maintain them yourself if you use a security tool without fully understanding its operation and configuration, you lull yourself into a false sense of security blocking all malicious scripts is unrealistic - you will need to think about defense in depth and sandboxing I personally use NoScript in combination with uBlock Origin in its advanced dynamic filtering mode. I also sandbox applications like Firefox, Thunderbird, Pidgin using Firejail, a small application that provides a convenient interface to built-in Linux kernel features (seccomp, namespaces, caps).
     
    Ideally, I would be using Qubes OS for better isolation, but it's not like hypervisors are somehow magically flawless, either.
  25. Like
    sheivoko got a reaction from zhang888 in The file 'AirVPN Europe UDP-443.ovpn' could not be read...   ...
    No, you shouldn't rename it to .conf, that's only necessary if you put the file in /etc/openvpn for use with openvpn in system daemon mode.
    By the sound of the error message I assume Britman tries to use the NetworkManager GUI.

    1. Most likely, the package network-manager-openvpn-gnome is missing
     
    sudo apt-get install network-manager-openvpn-gnome 2. Not related to your error message, but still worth mentioning: I'm pretty sure NetworkManager is still unable to handle inline keys/certs.
    Air's Config Generator has the option "Separate keys/certs from .ovpn file" (in Advanced Mode).
     
×
×
  • Create New...