[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor -> VPN Clarification



On 02/01/2015 03:11 AM, Bill Berry wrote:
> 
> My take (on his take :) ) was that;
> 
> a) trusting a VPN for security is a bad idea because no VPN operator is
> going to go to jail for you (see HideMyAss and Sabu etc)
> b) he assumes most VPN accounts can be tied back to you; almost no-one
> is going to bitcoin+tor every interaction with their VPN provider
> c) given a+b, relying on a VPN as your exit is a bad idea for anyone
> with a FBI/CIA level opponent
> 
> This is a big generalization though; you could anonymise every
> interaction with the VPN, use a Russian VPN, chain VPNs together etc.

I agree with "a". It would be sad if "b" is true, but OK, let's assume
it. Then I agree that "relying on a VPN as your exit is a bad idea for
anyone with a FBI/CIA level opponent". Unless you have a clue, anyway.

However, this is _exactly the opposite_ of how Grugq's advice was
presented in the Privacy PC article that was cited in this thread:[0]

| In terms of technologies that you can use to help ensure that you
| maintain good OPSEC, on the subject of VPN vs. TOR, a lot of people
| seem to have thought that VPNs provide anonymity; that’s not the
| case. VPNs provide privacy, TOR provides anonymity, so the
| difference is: privacy protects your data, anonymity protects you.
| Therefore if you are using a VPN service, you have to make sure
| that you’ve gone through TOR first, otherwise that VPN is simply a
| link from the end point to yourself. So, TOR to VPN – ok; VPN to
| TOR – go to jail.

That is incoherent. Think about it. Certainly a "VPN is simply a link
from the end point to yourself" when you use the VPN alone, without Tor.
That's also the case when you connect to a VPN through Tor, if the VPN
provider knows who you are, by money trail or whatever.

But if you connect to Tor through a VPN, endpoints will see Tor exits.
They will not see the VPN. That's a key feature of Tor, after all.
Unless Tor has been hosed, only entry guards will see the VPN.

And it's not an error in the Privacy PC article. In Grugq's 2012 Hack In
The Box presentation "OPSEC: Because Jail is for wuftpd" at 46:25, which
has also been cited in this thread, we see:[1]

| * TOR connection to a VPN => OK
| * VPN connection to TOR => GOTOJAIL

Seriously, WTF? Are we not speaking the same language? Have I
misunderstood the distinction between "to" and "through"?

[0]
http://privacy-pc.com/articles/hackers-guide-to-stay-out-of-jail-7-vpns-vs-tor.html
[1] http://www.youtube.com/watch?v=9XaYdCdwiWU

> On 01/02/15 07:36, Mirimir wrote:
>> On 01/31/2015 11:53 PM, Seth wrote:
>>> On Sat, 31 Jan 2015 17:47:20 -0800, Mirimir <mirimir@xxxxxxxxxx> wrote:
>> <SNIP>
>>
>>> I didn't make the claim, I just linked to it. If you want to
>>> challenge the claim, best take it up with the person making it.
>> Hey, no problem. But when I see misinformation, I say something.
>>
>>> I think he makes a good point in this slide however.
>>>
>>> ----------------------------------------------------
>>>
>>> * VPNs provides _privacy_
>>>
>>> * TOR provides _anonymity_
>>>
>>> * Confuse the two at your peril
>> Those are uncontroversial statements. But they don't speak to the claim
>> that getting your anonymity more privately makes it less anonymous.
> 
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk