In <news:***@mid.individual.net>, Mike Easter
<***@ster.invalid> wrote:
Hi Mike,
This response is really just to you.
Consider this a "personal note" just to you.
Everyone else ... I warned you ... this is betweem Mike and me.
I don't think it will be helpful for tribal knowledge, overall.
But since you are a helpful guy, I respond to you directly, mano a mano.
Post by Mike EasterI understand there is a difference between running tests and *actually*
using VPNs, which genuine VPN usage is supposed to be all about privacy.
Yup. If you want a noob to get up to speed, what you want to give that noob
is a text config file that he can doubleclick on and it "just works".
Once the noob has the whole process working, then he can luxuriate in the
intimate charms of selecting among what must be hundreds of potential VPN
server providers, each with their own detailed pros and cons.
For the purpose of the tutorial, *any* OpenVPN config file that was self
contained is sufficient for the purpose of the tutorial.
NOTE: By self contained I mean *everything* is in the config file,
including the encryption keys and passwords, etc.
Post by Mike EasterI also feel that a great many VPNs are *worse* in that respect than
connecting 'directly' using one's own connectivity provider. That is,
the provider cares even less than do some VPNs, and depending on the
'severity' of whatever you are doing that requires privacy, a great many
VPNs definitely should NOT be used.
To adequately answer that paragraph would take ten PhD's the rest of their
lives, and they'd still not agree.
Suffice to say everyone has a "threat model", where mine, for example, is
simply that I want a "new IP address" (e.g., a proxy works as well for me,
except it only works in a browser - where the encryption in VPN is simply
an added bonus for me).
Q: What is my thread model, aka Whom am I hiding from?
A: Major aggregators, such as Google, Facebook, Amazon, whatever.
Specifically:
Q: Am I hiding from a state-sponsored adversary?
A: Hell no. Not in your wildest dreams. They'd have me pegged in 2 seconds.
But some people, as Shadow alluded to, are hiding from state-sponsored
adversaries. OK. If you're hiding from a well-funded adversary, you sure as
hell better not be a noob who is using this tutorial to save your ass.
Really.
Let's be realistic here, Mike.
I'm not writing a tutorial for noobs to learn how to hide from TLAs, right?
Nobody thinks that, do they?
So let's dispense with this spooky stuff and stick with the two very basic
things you get with any decent VPN service.
1. A new IP address, and,
2. Encryption of your traffic from you to the VPN service.
That's all that we should reasonably expect of a noob tutorial.
Post by Mike EasterFor that reason, I believe that the research and ratings provided by
TOPS (That One Privacy Site) mentioned and linked earlier is a necessary
ingredient in the process of 'messing with' VPNs. He has done a lot of
work in his evaluations; and unlike most (such as list of top free
openvpn servers), I believe that he is honest in his evaluations and not
tied to/ shilling/ any particular VPN service.
As I noted, a bunch of his fields were pure bullshit (e.g., he rated
VPNGATE as red, and a "No" for refunds, when they never charge anyone any
money - and - he lists Linux as white - even though all you download is a
text file - which works just fine on *any* platform that runs an OpenVPN
client for heaven's sake).
But overall, his detailed chart is fine for someone to CHOOSE from one VPN
to another, but for a noob tutorial, we have to do that choosing for them.
Remember, the only two things that matter for the noob tutorial are:
1. Encryption to the VPN server, and,
2. A new IP address
That's it.
Every VPN service gives you that.
So that's why I said in the OP that it doesn't matter that you don't like
my choice of VPN services. Choose whatever VPN service you like best.
It's impossible to tell someone how to pick the "best" VPN service, just as
it's impossible for me to tell you how to choose the best wife.
Everyone uses whatever metric they care about, but all I'm asking for in
this tutorial are two things of the VPN service.
1. It gives you encryption to the server, and,
2. It gives you a new IP address.
They all do that.
Post by Mike EasterYour principal strategy is to create some openvpn configs from free
service because you don't want to go to the trouble to anonymize
payments and then from that crop of freevpn/s, testing your schemes for
such as killswitch.
Remember my thread model, Mike.
I just want to jumble up my data on the Internet.
Let me give you a hint how I do that, but this is why I said this post is
only to you, and not really for general use.
I have about a score of web browsers.
Do you know how many web sites each one visits?
The answer is "one".
Yup.
Each browser only goes to a single web site.
Now WHY do I do this?
First off, it's trivial to set up, so it's easy to do, and then I can
customize the settings of the browser for each site, e.g., Google needs
some stuff, while duckduckgo doesn't, etc.,
But more to the point, the browser fingerprinting and cookies (if any) and
other browser-specific data will not cross reference as easily as if I used
a browser to go to more than one site.
Of course, I'm not so stupid as to not know about fingerpringint of the
operating system and fonts and screen technical data and canvass
fingerprinting, etc., but always remember I'm NOT hiding from a
state-sponsored adversary.
If I was, I would say that even Edward Snowden got caught.
He just ran faster than they could go to catch him.
The point is that "my adversary" is the common aggregators.
I'm not hiding from the mafia or a terrorist organization or a
state-sponsored adversary.
And I'd say that 99.9999999999999999% of the people out there who would
benefit from this tutorial have a similar threat model as I do.
It's not like I have secret blueprints on my computer which I pass daily to
my assistant in some sanction-ridden third-world country.
All I want is one thing:
1. A new IP address
Where I get the second thing, as a bonus, for free:
2. Encryption
Now, if I *pay* for a VPN service, do I get anything more than those two
things that I care about?
Post by Mike EasterThose are useful endeavors, but they don't actually
get the job done at all as far as selecting a *good* VPN service, which
seems extremely important to me.
Mike,
You know as well as I know that the threat model is the key starting point.
If 99.9999999999% of the people out there simply need these two things:
1. A new IP address, and,
2. Encryption to the VPN service
Then how many VPN services out there do NOT give the noob those two things?
If you have a bigger threat model, then you sure as hell shouldn't be a
noob.
There's this Dunning-Kruger concept of skills self assessment (most people
don't understand the DK effect - but it affects everyone - even experts).
As I said, this is really a personal note to you, Mike, so I'll summarize
the DK effect as, basically, the less skilled people are, the more skilled
they self-assess themselves to me - and - conversely - the more skilled
they are, not only do they self assess lower but they drastically
underestimate what it takes for others to reach their skill level.
The relevance of that summary is that any noob who thinks that by running
this cut-and-paste step-by-step tutorial, that they then have the skills to
defeat a state sponsored adversary, is certainly on the lowest end of the
DK scale.
All the noob is gonna get from this tutorial is that he'll be up and
running on VPN in about an hour (or so) and if he has already installed the
software and tested it, he's up and running in minutes.
It took me *years* to get to this point, so that is a VAST savings in time!
Post by Mike EasterYour 'selection' process is that of using the first free VPN service
that connects for you.
All I want is a new IP address.
Every VPN service gives me that.
Post by Mike EasterEarlier I mentioned one VPN service I had found after gaining some
knowledge from TOPS; but it turns out that ProtonVPN was just liked by
the person in a newsgroup because he also liked ProtonMail. Just
recently I learned that TOPS had reviewed ProtonVPN 2017 Nov and while
it wasn't really bad, it wasn't actually good either.
Mike,
This isn't our first rodeo.
I was one of the first people on Usenet, on the Linux and Windows
newsgroups, to be asking about "public VPN services", many years ago.
That's when I learned all the people respond by Keywords only.
Everyone (including you, as I recall), responded with a "roll your own"
answer.
Remember, this is a note just to you, so, what I'm saying is that I've been
on free public VPN services since before almost everyone on this newsgroup
(I wager).
When I used to ask for help in changing an IP address, everyone would tell
me to roll my own VPN server. When I asked about public VPN services,
everyone would tell me to roll my own VPN server. When I asked if I should
name my dog VPN, everyone would tell me to roll my own VPN server.
I've been on this rodeo for many many years (too many to count).
The problem you're bringing up with ProtonVPN is the same problem then as
now, which is that every vpn service has its pros and cons, but if all you
want is
1. A new IP address, and maybe, a bonus of
2. Encryption to the VPN service
Then *any* VPN service will work for you.
I'd suggest only OpenVPN, and I'd suggest the better encryption, but other
than that, any VPN service will work for *that* purpose.
You have asked many times, as I recall, "what is the threat?" which is a
perfectly valid question.
IF the threat is the NSA, then shit ... you're dead.
Really.
They tap EVERYTHING. They spend BILLIONS of dollar a year listening to all
our traffic. They must own thousands upon thousands of Tor directory
servers and Tor exit nodes. They have probably an arsenal of thousands of
zero-day vulnerabilities.
If you, or anyone here, thinks they're smarter than the NSA, then I'd say
they are likely on the lower end of the DK scale.
A VPN isn't gonna protect you from the NSA.
But, a VPN will give you a new IP address to, oh, say, Facebook.
Post by Mike EasterThe TOPS guy has actually tested the pay servers of many VPNs (as
opposed to just free VPNs), thus evaluating how discreet one can be in
payment as well as how well one can get a refund. The
/business/marketing/ of VPN services seems to be that even those who
don't have to/ or /choose to/ provide any free services almost always
provide a 'money-back guarantee' for the pay section. While that route
might seem more tedious, it does seem like a more thorough approach to
evaluating VPN services.
OK. Now we get to payware.
The only difference between payware and freeware is that you have to figure
out a way to anonymously pay for the payware, right?
There's no other difference right?
Now, since people are only keyword driven, I know you "could" and probably
"will" say that freeware makes your data the product, while payware
doesn't, but you don't know that.
You could also say that the NSA runs the free stuff but not the payware
stuff, but, again, you don't know that.
Besides, the most important thing of all which is that freeware is
available to EVERYONE INSTANTLY RIGHT NOW.
That's a biggie when you're writing a tutorial to get a noob up to speed.
If a noob just wants to do in minutes what took me years to set up, then
freeware is the way to go, is it not?
Now, let's get back to payware though, as most people are keyword driven,
so they simply assume that payware is 'better' than freeware (which, is
hard for me to comprehend since I know plenty of freeware that is better
than plenty of payware - but - I know how weak people's minds are when it
comes to keywords).
Let's get back to basics, where all I want is a new IP address and where
the encryption is simply an added bonus.
At the moment, with freeware, I can choose between any one of over six
thousand IP addresses, at will (according to your site and to the number of
config files I currently have).
Remember, all I want is the "random" IP address.
So, tell me Mike,
If I pay for the VPN service, what do I get that I don't already have, when
all I care about is to have any one of six thousand random IP addresses?
I'll tell you one thing I don't get - which is anonymity. If I use a free
VPN service, they know my IP address, and my traffic, but if I pay for a
VPN service, they *still* know my IP address and my traffic - and - they
have my credit card and home address and name.
Of course, since you're all keyword driven, you'll tell me that if I jump
through hoops, I can hide all that - and - you know what - someday I'll
bother - but at the moment, the freeware is easier than jumping through all
those hoops since all I want is any one of over six thousand IP addresses
at will.
And I get that with freeware.
Post by Mike EasterI would hope that once you have moved beyond just testing 'any old' free
VPN, that somewhere along the way you start getting interested in
finding VPNs for the privacy purposes for which they should be used.
The tutorial is for noobs.
For noobs, any working config file is perfect.
You can get them anywhere.
NOTHING changes in the tutorial if you choose a DIFFERENT VPN provider.
Nothing.
So, if anyone is gonna harp on "my choice" of VPN provider, the only way
you're going to HELP the NOOB is to suggest that VPN provider.
To wit, Mike:
*What VPN service do you recommend and why?*