back to article Is this a solution to Trump signing away your digital privacy? We give Invizbox Go a go

How fast things change: once upon a time (last week), Tor was seen as a tool for the paranoid and the criminal. VPNs were aimed at safeguarding traffic over insecure hotel and conference Wi-Fi networks – or for business. But following a Congressional vote this week to effectively scrap digital privacy rights and give US ISPs …

  1. Keef

    It might be good, but...

    The article reads like an advert and does not quote sources for the clams it makes on behalf of the product.

    Okay, I'm paranoid, but this does seem like a soft sell.

    For those who like homophones I prefer Tainted love.

    Keef.

    1. ObSolutions, Inc

      Re: It might be good, but...

      In fairness, the article does state that this product is not for the paranoid, so it may not be for you.

      Really, it's about whether you trust a company that has no interest in protecting your privacy vs. your trust in a company whose existence is dependent on doing just that.

      1. Keef

        Re: It might be good, but...

        You're wrong,

        The only instance of the word 'paranoid' in the article is here:

        'Tor was seen as a tool for the paranoid and the criminal.'

        I've read the article again a few times and it still smells like an infomercial trying to sell me the best juice maker ever invented.

        1. ObSolutions, Inc

          Re: It might be good, but...

          You're wrong, The only instance of the word 'paranoid' in the article is here

          Alright. The article does say:

          if you choose to use Invizbox's VPN, you are essentially trusting them completely with your privacy.

          and:

          We wouldn't go so far as to say the system is NSA-proof (what is?) but if you are serious about protecting your personal data ... – and you trust the VPN provider to be true to its word ...

          So if you are as paranoid as you say, then the article arguably tells you quite clearly that this product is not for you.

      2. Potemkine Silver badge

        Welcome in the Happy World of Care Bears

        whether you trust a company that has no interest in protecting your privacy vs. your trust in a company whose existence is dependent on doing just that.

        Trusting a company? Muahahahahahha!

    2. kierenmccarthy

      Re: It might be good, but...

      I'd argue it reads like a review.

      What in particular are you concerned about?

      Kieren

    3. diodesign (Written by Reg staff) Silver badge

      Re: It might be good, but...

      "does not quote sources"

      Mate, it's a hands-on review. It's... what our man Kieren thought of it after using it. It's not even a glowing review - we point out all the limitations and caveats as well as the potential benefits.

      C.

    4. JCitizen
      Coffee/keyboard

      Re: It might be good, but...

      If you want a good VNP solution to hide from the ISP you need a chart recommended by Krebs on Security.

      https://thatoneprivacysite.net/simple-vpn-comparison-chart/

      The more green bars the better. Here is the article I got it from:

      https://krebsonsecurity.com/2017/03/post-fcc-privacy-rules-should-you-vpn/

      1. Kiwi

        Re: It might be good, but...

        https://thatoneprivacysite.net/simple-vpn-comparison-chart/

        The more green bars the better. Here is the article I got it from:

        It would be nice if the site explained their "concerns", especially in a alt-text or simillar (I'll try to remember to send that off). Given that, IP Vanish doesn't get the most glowing "review" there (again knowing what the "something of major concern" about the "business website" is would be nice).

        https://krebsonsecurity.com/2017/03/post-fcc-privacy-rules-should-you-vpn/

        "In case any readers are unclear on the technology, in a nutshell VPNs rely on specialized software that you download and install on your computer. "

        Is that a Windows thing? Last time I set up a VPN I did have to install software on Windows, but that was to act as the server side (was a work VPN so we could get around massively expensive site licenses and database sharing issues with the accounting software by having the remote site connect via VPN to the main office machine). I don't recall adding anything special to the remote machine, aside from some tools to make the experience more "seamless".

        On my own Ubuntu machine I left-clicked on my network status icon, went down to VPN connections, configure VPN, add new and put in the relevant details. Nothing I recall about "specialized software that you download and install on your computer" at all.

        I understand using simpler talk to help non-techs understand stuff, but unless Windows isn't capable of being set up to use a VPN without extra software, should I trust someone's security advice if they're getting something wrong at this level? (Surely he could've said something like "specalised settings")

  2. Gene Cash Silver badge

    Congress shot itself in the foot

    So this is... strange. All the politicians are "we need to stop encryption!! 'cuz terrier-ists!"

    But then Congress basically pushes everyone toward encryption and high security if they don't want their ISP to monetize the hell out of them...

    1. Anonymous Coward
      Anonymous Coward

      Re: Congress shot itself in the foot

      Sounds to me like a real Trump deal.

    2. Alumoi Silver badge
      Coat

      Re: Congress shot itself in the foot

      Yeap, because all VPN companies have already benn bought/penetrated by 3 letters agencies. So the more people who might hide something sign up for VPNs, the easier will be to spy on them.

      1. paulnick2

        Re: Congress shot itself in the foot

        While choosing a VPN you have to make sure that the service you are trusting with your data is not be based in any of the 14 eyes countries, especially the US, because VPN providers based in the US could be pressured to share or hand over users’ data to ISPs or government agencies.

        source: http://www.geektime.com/2017/03/28/how-to-protect-your-data-from-being-sold-by-your-isp/

  3. Paul Crawford Silver badge

    It sounds like a great solution for the technically-challenged that value their privacy.

    Lets face it, most people have little to fear from the likes of GCHQ/NSA/FSB/etc because the majority of folk who are likely to be after them or pestering them won't be getting data from such agencies. However, if you are politically important or work high up in a 1$B business that is unlikely to be the same case, but then you would have some competent IT folk to take care of you and you would not use a skanky old Android phone would you?

    Sadly many don't realise the long-term consequences of world+dog having all of their secrets on hand to monetize via advertisement or blackmail with down the line...

    1. Anonymous Coward
      Anonymous Coward

      re: most people have little to fear

      Just remember: it's not todays government you need to fear. It's tomorrows.

      1. mics39
        Mushroom

        Re: re: most people have little to fear

        "Just remember: it's not todays government you need to fear. It's tomorrows."

        No. It's the present regime of Trump and the heartless Republicans and selfish Libertarians that is feared. Of course May, Erdogan, Putin, Mugabe etc too. There could be no tomorrow after this lot.

        1. Charles 9 Silver badge

          Re: re: most people have little to fear

          "No. It's the present regime of Trump and the heartless Republicans and selfish Libertarians that is feared. Of course May, Erdogan, Putin, Mugabe etc too. There could be no tomorrow after this lot."

          Oh? What about a future regime the criminalizes all encryption not backed (and crackable) by the State? "Nothing to hide, nothing to fear" and all that? Never say things could get worse because in the end the law is just ink on a page.

    2. John Smith 19 Gold badge
      Gimp

      "many don't realise the long-term consequences of world+dog having all of their secrets on hand"

      It will be an interesting time when they do will it not?

  4. Will Godfrey Silver badge

    Looks OK to me.

    Describes what it does in reasonable detail, and clearly points out the possible issues. Reads just like an honest review to me.

    1. Anonymous Coward
      Anonymous Coward

      Re: Looks OK to me.

      "Reads just like an honest review to me."

      And that's what frightens me. An honest review? When's the last time you've seen one? You know what they say, if it's too good to be true...

  5. elDog

    OK - now it's up to the US congress to ban VPN, HTTPS, Tor

    And I wouldn't put it past them.

    Know-Knuthings. Yet they want to keep their dalliances with foreign dancing girls (and/or men) secret. Hush-hush their money supplies. Incredible hypocrisy.

    1. Steve Davies 3 Silver badge
      Coat

      Re: OK - now it's up to the US congress to ban VPN, HTTPS, Tor

      Good luck banning VPN's

      Far too many {cough,cough} companies who donated to El Trumpo's campaign use VPN's on a daily basis. Most remote workers and even remote sites use VPN's to feed data back to Head office in a secure manner.

      The CEO's and probably a good number of Senators/Congress critters use VPN's to mask their 20th hole activities so how do you expect a ban to get passed into law?

      What you the really paranoid need is for the VPN's to

      1) run to endpoints in different countries

      2) switch between those endpoints every minute or so.

      That will make it harder for the TLA's to track them but it will stop the plots of US TV Dramas showing that it takes only a few seconds to decrypt a fully encrypted hard drive when they don't have the key.

      Mines the one with an invisibity cloak in the pocket.

      1. Ole Juul

        Re: OK - now it's up to the US congress to ban VPN, HTTPS, Tor

        What you the really paranoid need is for the VPN's to

        1) run to endpoints in different countries

        2) switch between those endpoints every minute or so.

        And that's exactly what companies like proxy.sh offer with their multi-hop technology. They're not cheap, but they're good and trivial to set up. In fact I'd ague that it's a lot easier for a non-techie to set up than what's on offer in this review.

        Yes, I've tried their service, but currently prefer to just use a cheap VPS as a single point VPN to browse though. That's cheap and easy for someone with a bit of tech interest, and good enough for me.

        1. JCitizen
          Alert

          Re: OK - now it's up to the US congress to ban VPN, HTTPS, Tor

          So Ole Juul how do you know proxy.sh isn't sniffing your packets too??

      2. Anonymous Coward
        Anonymous Coward

        Re: OK - now it's up to the US congress to ban VPN, HTTPS, Tor

        "Good luck banning VPN's Far too many {cough,cough} companies who donated to El Trumpo's campaign use VPN's on a daily basis. "

        So what.

        All the establishment has to do is ban *unauthorised* VPNs. Obviously the authorised VPNs are fully documented as part of the authorisation process run by Trump donors and their friends at home and abroad (London, Russia, etc), all their necessary hashtags for decryption will be documented centrally (just like Amber Rudd in London wants), etc.

        All the other VPNs are by definition illegal and by definition run by terrists who have just volunteered to be locked up.

        The War Against Terror just got easier.

        Didn't it?

  6. Anonymous Coward
    Anonymous Coward

    Or you could use a £9 Pi zero W

    Just an option, as it's a tech site

  7. elDog

    So who's worried about the browser vendors?

    Adding the S on the end of HTTP is supposed to encrypt traffic to/fro the endpoint. In between it is available to the browser and to things like extensions.

    Yes, the "better" browsers are open-source but we really don't know what we're running when we launch its executable.

    1. P. Lee

      Re: So who's worried about the browser vendors?

      >we really don't know what we're running when we launch its executable.

      But that is also not under the control of the ISP's. Compromising that would be illegal and unlikely. I would be inclined to redirect traffic to 8.8.8.8 to somewhere else and not use Chrome, though.

    2. tom dial Silver badge

      Re: So who's worried about the browser vendors?

      Debian, for one, and very probably Red Hat and a number of other distributions, are working on the problem of assuring that the executables verifiably result from the published source. I've followed the Debian discussion some, and concluded that while they are making progress, it is a seriously difficult undertaking and will take a fair amount more time. As noted, "open source" alone is far from sufficient.

      1. Charles 9 Silver badge

        Re: So who's worried about the browser vendors?

        The whole problem is a matter of trust, and at its ultimate level, the problem is intractable; there's no way to ensure that whom you trust hasn't been subverted without your knowledge. It ultimately amounts to a Leap of Faith that you have to place your trust SOMEWHERE to get things done at all.

  8. OliP

    It does sort of help in this instance against the ISPs selling your data to anyone offering the cash, but any other protection is surely mitigated by the fact its routing your entire connection through it? Logins and all, so the feds can just get what they want regardless.

    I can easily believe the investment of breaking vpn or ssl sessions would be tiny compared to the profits they'd make here however.

  9. Anonymous Coward
    Anonymous Coward

    Unfortunately if Tor or devices like Invizbox begin to seriously encroach on an ISPs personal data sales revenues they can block you from using them by refusing service. I foresee them making them a TOS violation at minimum.

    1. Ole Juul

      there's always another way

      I'm not sure you understand VPN and Tor usage. :)

      Use port 443 to your VPN and the ISP can't distinguish it from regular https traffic. Use the VPN to carry the Tor traffic past the ISP and you can use Tor without them being able to detect it.

      1. Charles 9 Silver badge

        Re: there's always another way

        What if they force all HTTPS traffic through their own proxies a la enterprise proxies that user their own certificates and everything?

        1. Anonymous Coward
          Anonymous Coward

          Re: there's always another way

          "What if they force all HTTPS traffic through their own proxies a la enterprise proxies that user their own certificates and everything?"

          Change ISP to one that doesn't play that game? That's the way free markets are supposed to work, isn't it?

        2. Kiwi
          WTF?

          Re: there's always another way

          What if they force all HTTPS traffic through their own proxies a la enterprise proxies that user their own certificates and everything?

          Then that ISP goes out of business. Simples isn't it? Just takes a second of thought to see how that'd kill them PDQ.

          1. Charles 9 Silver badge

            Re: there's always another way

            Not if it's mandated by law. Then ALL the ISPs have to do it.

  10. steve 124

    I use Tor to access MySpace on my Netscape browser

    People concerned about security and privacy use Tor? WTF?

    I can't speak for the VPN provider, I personally won't use them because unless they are in the Maldives, they can probably be "compelled" to provide your data by the US Gov, but anyone who uses Tor is asking for a visit from the Feds at this point. Tor has become the go to network for illegal activities and there's no way I'd let traffic from the Tor network go out via my gateway IP (you ARE responsible for activities on your IP address). To my knowledge, there is no way to opt out of the outbound flow of Tor traffic, so if you're masking your activities by pushing it out someone else's gateway, everyone else is doing the same to yours (not to mention, as Karen said in the article, you're trusting that endpoint with your non-encrypted traffic). This device puts Tor in the hands of potentially non-tech savvy users that may not fully understand the technology it deploys or the implications that come with becoming an outbound node for the Onion Router network. Be very very cautious.

    Nothing negative about your article, but it's very important people understand the risk involved in putting Tor on their home network.

    I like the encryption plugin and think that with some locking down of your browser cookies folder (and, of course, being careful about the things you do on the web) are your best options at this point.

    1. AegisPrime
      Facepalm

      Re: I use Tor to access MySpace on my Netscape browser

      You've been misinformed - most typical uses of Tor (say for instance, using Tor Browser) don't turn your device into a gateway - you have to set that up yourself if you want to do that (and of those that do, many do it on rented servers).

      If you're just browsing the web with the Tor Browser then you're connecting in much the same way as you connect to a VPN - and like a VPN, your traffic is spilling out of another Tor node somewhere in the world along with all the pedophiles, pirates, terrorists and innocent people who value their privacy.

      In other words, nobody's going to be downloading kiddie porn from your IP address whilst you're using Tor.

      Personally, I prefer to use a VPN to keep my browsing private - not because of any inherent concerns about Tor but simply because it's usually faster.

    2. Paul Crawford Silver badge

      Re: VPN providers

      "I can't speak for the VPN provider, I personally won't use them because unless they are in the Maldives"

      You could do a little research such as:

      https://torrentfreak.com/vpn-services-anonymous-review-2017-170304/

      https://www.bestvpn.com/best-vpn-services/

      (a bit advertorial, but they do cover country-of-origin in the pros & cons)

      https://airvpn.org/

      https://www.mullvad.net/

      It is true that ultimately you are placing your trust in a VPN company instead of your ISP & government, but the flip-side of that is VPN providers depend on trust so they are more likely to honour that than ISPs that are (a) open to whoring you to advertisers, and (b) generally under the thumb of the government.

      Which is another reason to ALWAYS get a VPN from another country - even if they do log your activity (against any stated policy) they are virtually guaranteed to demand a proper court order in their own country, and not answering some back-door surveillance law of your government. Oh, and don't forget to test your VPN with one of the many leak-detecting sites out there...

      1. Anonymous Coward
        Anonymous Coward

        Re: VPN providers

        "Which is another reason to ALWAYS get a VPN from another country - even if they do log your activity (against any stated policy) they are virtually guaranteed to demand a proper court order in their own country, and not answering some back-door surveillance law of your government."

        Not even IN SECRET through mutual spying agreements?

        1. Paul Crawford Silver badge

          Re: VPN providers

          Pays your money, places your trust...

          Even if they do have a SECRET spying agreement, do you think that would extend to telling your local councillors or school board about anything you / family might have been up to? Do you think that those TLAs would share such spying intelligence with insurance companies or job recruitment agencies?

          In short, do you think that would matter to most people's activities unless very dodgy and they have a high security clearance?

          1. Anonymous Coward
            Anonymous Coward

            Re: VPN providers

            "do you think that would extend to telling your local councillors or school board about anything you / family might have been up to? "

            Depends. If the motivation for disclosure was to discredit someone, a few tasty snippets might go a long way.

            Think this kind of thing doesn't happen? It's been happening for years. See e.g. Jeremy Thorpe.

            https://www.youtube.com/watch?v=6xi-agPf95M (7 minute summary)

            BBC versions:

            http://www.bbc.co.uk/news/uk-politics-30349535

            http://www.bbc.co.uk/programmes/b04wz633

      2. paulnick2

        Re: VPN providers

        Trust only those companies who are based outside 14 eyes countries. For example! if you are in UK, you should start using this uk vpn https://www.purevpn.com/uk-vpn-services.php

  11. P. Lee

    >Tor has become the go to network for illegal activities

    Well, the internet is the go-to network for illegal activities.

    I think the point is that Tor is generally too technical for the masses and little device might make things easier. The NAT router of layer-7. By making it clear that privacy has been sold, there should be an impetus for people to take responsibility for themselves.

    Even if the NSA is running most of the tor exit nodes, at least they are probably keeping your browser history mostly to themselves.

    1. Charles 9 Silver badge

      Re: >Tor has become the go to network for illegal activities

      "By making it clear that privacy has been sold, there should be an impetus for people to take responsibility for themselves."

      Except most people don't care. Look at all the sheep sharing selfies on Snapchat or exposing their everyday lives through Facebook and Twitter and so on. The smart are being seriously outvoted.

  12. DrM
    Meh

    Opting Out?

    I use a VPN. Many websites such as Ticketmaster notice I am popping out of an IP address used by VPN's and block me, I must turn off the VPN to access these websites.

    So, #1, a VPN isn't a complete solution.

    #2, can the Invizbox be easily bypassed for Ticketmaster and the rest, or must one give them up?

    1. frank ly

      Re: Opting Out?

      I've noticed this VPN blocking by some websites. It seems to be sites that do sign up and payment processing. I think they're trying to prevent fraudsters from misusing credit cards.

      1. Lyndon Hills 1

        Re: Opting Out?

        I think they're trying to prevent fraudsters from misusing credit cards.

        One of the checks done to spot fraudulent use involves comparing the country of the card issued with the country identified from the current ip address of the person using it. If they don't match the transaction is flagged as potentially fraudulent. Depending o the processor's rules, it can be denied. Using a VPN would make this less effective, not to mention you don't get an ip address for the possible fraudster.

    2. tiggity Silver badge

      Re: Opting Out?

      Or of course you can boycott Ticketmaster, always a good option IMHO

      1. Trump rulz

        Re: Opting Out?

        What? You want to cut out a toll-taking middleman? It's people like you who keep America from being great again.

    3. Kiwi
      Boffin

      Re: Opting Out?

      I use a VPN. Many websites such as Ticketmaster notice I am popping out of an IP address used by VPN's and block me, I must turn off the VPN to access these websites.

      One can hope that, if people start to significantly increase the use of VPN's etc, then at least some of this activity will stop - if you want customers you have to let them in even if on a VPN simply because "everyone is using them now thanks to the yanks".

      There are ways to confirm someone's address without caring where they are from. TradeMe in New Zealand has an "address verification" system where they send a letter to an address (with rules about it, ie must not be a commercial address IIRC) and for 2 years after that you have that tag on your account name. It is possible to limit auctions only to verified members. Google does the same with some of it's business stuff. I can't recall what but they did send us a card (with a code we had to put into their site) to verify the location of the shop.

      Sure it takes a bit longer, but sites like Ticketmaster could set up a basic system to do that - you give them a postal address, they send a code out, you enter the code and they know that at the very least you can receive mail at that address. They can add in safeguards like not having too many people using it (so if they get 200 people "living at" a normal residential house, they can be sure there's doings afoot, and can ban commercial addresses as well).

      If a puny little NZ company can get it right, I'm sure others can. Though if Ticketmaster is like their NZ counterparts, maybe an end to their existence would be the better option.

  13. Anonymous Coward
    Anonymous Coward

    Err, not yet.

    IMHO, they still have some fixing to do so I hope they read this.

    1 - First of all, a route through Tor means you won't get to many websites that now screen against it (which includes mine). The reason for that is simple: in 10 years worth of website traffic analysis, I don't even get to 0.01% of traffic from Tor that is benign. In general, if traffic is Tor originated it is an attempt to breach the site. Sorry Tor fans, but that's the truth. So that's a no on usefulness unless the user can choose between Tor and non-Tor.

    2 - I am *extremely* reluctant to use any "security" product if I don't know who is behind it, and by that I don't mean names and mugshots of developers and people, I mean the company. The reason for that is simple: I need to know just how exposed they are to a visit from people in Government issued suits and sunglasses, and from a corporate POV, I need to know if they'll still be there tomorrow or I'm stuck with the equivalent of a Microsoft Zune (I hope the hardware can be repurposed). Having to mine the site before I can find it (you'll eventually find in the privacy policy that they're registered in Ireland, after which you can look them up in the business register but that shouldn't be something I have to work for, that should be right there on the website. Those details matter if you're trying to establish trust, or it makes you look like you have something to hide (heh).

    2a - apropos privacy policy. They use Google Analytics, and seem to believe Google's assertion that it respects privacy. That *seriously* worries me - what other assumptions have been made? As the site is Wordpress (easy to see in the page source), why not use local statistics like Counterize?

    3 - if I recall correctly (I think it was on Forbes somewhere), the security market in the US alone is in the $14bn bracket and from my experience quite LOT of that is snake oil vendors and people who have nice ideas and good marketing teams but who pay rather less attention to what is actually important. Until such time as there is an independent evaluation of what's in that box, statistics suggest it's not good news. Being Open Source is good, but on their site there is no link to source code which is again an uncomfortable omission.

    I like the idea, but I'm not getting that "I'm saved" vibe it should give. Maybe the Jehovah guys were right and that is reserved for Jezus alone..

    1. Anonymous Coward
      Anonymous Coward

      Re: Err, not yet.

      > I hope they read this.

      We did :) Liz and I (Paul) are away on a short break so I'll keep this short-ish

      > unless the user can choose between Tor and non-Tor.

      They can :) We have 3 modes - VPN, Tor and "WiFi Extender" (i.e. just route traffic through the network you're connected to

      On who we are and whether we'll be there tomorrow - You may have missed our bio's (home page / about us). I suppose we're as exposed as anyone to a trip from the government but Ireland's not exactly known for that kind of messing. We're running a few years now so not exactly fly by night variety either.

      On marketing teams - well, the techies have taken on that responsibility. We're not as polished as others, but I like to think we're more honest as a result.

      Analytics is a short term thing so we can learn how people use the site. We'll pull it soon because we're not fond of it either but it's hard to compete without ever using it.

      Probably you'll remain to be convinced. That's what I'd call healthy skepticism. No harm!

      1. Mage Silver badge
        Unhappy

        Re: Ireland's not exactly known for that kind of messing.

        Yes, even when they should, the Financial Regulator (Anglo Irish), Comreg (Three and NBS, or Eircom/Eir), Data Regulator (Facebook, Dept of Social Protection outsourcing), BAI (TV3) are rather soft touch.

        Sadly Ireland need more intrusive proactive regulation, it's a not a lack of laws, it's unwillingness to enforce them, partly because that costs money and votes.

      2. Kiwi
        Trollface

        Re: Err, not yet.

        Analytics is a short term thing so we can learn how people use the site. We'll pull it soon because we're not fond of it either but it's hard to compete without ever using it.

        There's other tools out there, many that aren't such scumbags for privacy/security :)

    2. Tikimon
      FAIL

      Re: Err, not yet.

      "In general, if traffic is Tor originated it is an attempt to breach the site."

      And the general internet does NOT route attacks to your site? Oh, it does? If a defensive strategy is good enough to handle the daily non-TOR attacks, they're good enough to leave TOR open. If they're not, you're pwned anyway. You might as well block all traffic from Brazil, since they're a growing malware hotspot. And Russia, definitely them. And then, and then, and...

      I'm voting with my virtual feet and refusing to do business with TOR-blockers. It's like insisting on Adobe Reader or Java to use a site, forcing me to use an insecure product over a secure one. No thanks!

      1. Anonymous Coward
        Anonymous Coward

        Re: Err, not yet.

        And the general internet does NOT route attacks to your site? Oh, it does? If a defensive strategy is good enough to handle the daily non-TOR attacks, they're good enough to leave TOR open. If they're not, you're pwned anyway. You might as well block all traffic from Brazil, since they're a growing malware hotspot. And Russia, definitely them. And then, and then, and...

        It is exactly because we do indeed geo-based blocking that this whole Tor discovery was made. Some of our sites are not that public (no SEO, not "www".somedomain etc) so we used those to see what floated in on requests and a very high quantity of 404 traffic was Tor originated. We then started to look at Tor hits that were non-404, and we had to go back several months before we found site access that wasn't seeking to subvert the site. Ergo, Tor is not a source of customers for us, and it makes sense to block Tor nodes to improve security.

        I'm voting with my virtual feet and refusing to do business with TOR-blockers. It's like insisting on Adobe Reader or Java to use a site, forcing me to use an insecure product over a secure one. No thanks!

        That makes no sense. You prefer sites that leave themselves open to a major channel for hacking attempts and then state you do that because it's safer? Really? With that sort of logic you wouldn't understand the rather extreme lengths we go through to protect ALL our visitors. In our opinion, someone should not HAVE to use Tor to have their privacy protected but we reserve the right to deny access to those that seek to harm our facilities.

        1. Kiwi
          Boffin

          Re: Err, not yet.

          With that sort of logic you wouldn't understand the rather extreme lengths we go through to protect ALL our visitors.

          Either your tools protect your users against attacks via TOR, or they don't protect you from attacks from the rest of the net either.

          If they can't protect against attacks via TOR then they're not exactly "extreme lengths".

          Could you please tell us what domain(s) you own? I feel a need to make some changes to my hosts file, just in case I find my way there by accident. Your approach smacks of "security by obscurity" especially if you're worried about bots trying random urls. I see a lot of that and you know what? So what. So they'll get a 404, and they may even discover some of the URL's available on my server. Oh gee I better run for the toilet I'm shitting myself so bad at the thought!

          1. Anonymous Coward
            Anonymous Coward

            Re: Err, not yet.

            Your approach smacks of "security by obscurity" especially if you're worried about bots trying random urls

            Nope - I simply close the highways that only leads criminals to the site. We don't sell to China, Russia or Brazil so those countries won't see more than the frontpage. We have seen over the year so few legitimate access to the sites from Tor nodes that it was a no-brainer to shut access to Tor nodes as a protective measure, and we do that at network level so even portscans don't get through. You seem to think we focus on Tor but for the traffic we see, Tor is simply another collective origin of trouble like China et al so we block it just like we do complete countries. It's a simple business decision: am I going to waste my time defending from a type of traffic that I know not to yield any business benefit or do I shut it down so I can focus on other threats?

            We used some unpublished sites to check on backscatter traffic like the usual IP sweeps and portscans, and that too contains a large portion of Tor nodes. The main sites where we filter are rather well known and no, I'm not going to give you the domains and paint a target on my customer's back.

            I'm perfectly OK with you wanting to avoid our sites because you somehow feel slighted that we block Tor traffic for simple business security reasons. Just keep using Tor and there is no risk of you ever having even accidental acces to our sites. Easy.

            1. Kiwi

              Re: Err, not yet.

              I'm perfectly OK with you wanting to avoid our sites because you somehow feel slighted that we block Tor traffic for simple business security reasons. Just keep using Tor and there is no risk of you ever having even accidental acces to our sites. Easy.

              I don't feel slighted because I don't use TOR (bar for the odd test from "outside" my network).

              Why I wish to avoid any sites you maintain is your approach to security. As I said, if you cannot beat off the attacks from TOR, you cannot beat of other attacks. And while you're pissing your panties over the "obvious" attack attempts from one source, you're completely oblivious to attacks from others.

              A couple of years back my systems fought off a significant (for us) and sustained attack (lasted over a week, 24/7). I was in contact with a number of ISP's and services like Amazon AWS when there were significant numbers coming from their IPs (one AWS IP says little, a couple of hundred however...). Several hundred hits on each of the services on each of the servers every hour (web, email etc machines were on different IP's and in different locations). Non-published services (eg our email server also had a backup copy of the websites we managed just in case) were targeted just as much as the front door. Lots of attempts to get in through other closed doors, eg telnet (which didn't have anything to answer it). I was nervous the whole time, but nothing got through - although I did waste a lot of time on it. A compare of files from backups confirmed that nothing had been changed in /etc or elsewhere, and checks with tools such as rkhunter and others (names don't come to mind) confirmed it.

              Of the literally millions of attempts to gain entry, not one got in. And of the literally millions of attempts to gain entry, I did not see one single one that appeared to come from a TOR exit node. Most were from home machines that were part of a botnet I suspect, given the repetitiveness of each attempt (eg trying the same 3 usernames on SSH before Fail2Ban or DenyHosts kicked the IP out).

              Yes, systems with much better security than mine do get broken for various reasons. By the grace of God mine didn't - some of that was finding the right tools.

              Blocking TOR is nothing with the millions of infected security cameras and other devices out there - devices that will attack your servers from within the IP ranges of your target demographic. If I want to attack your system from somewhere NOT my home IP then I have options - take over someone else's machine (via direct hacking or drive-by website), find some place with free WiFi (any public library, any CBD, any McDonalds, any cafe, a number of homes and businesses with "guest" WiFI). TOR is often slow, whereas sitting in my car or in a nice cafe with a decent coffee, or in a nice quiet library gives me a speedy and largely untraceable location. Warm and cosy in Winter too. And given the number of people like you out there who think that blocking TOR makes a big difference, why would I bother trying to break in via the back door when I can walk in past the large "Welcome" sign by the front door?

              More and more people are using TOR or VPNs, and given what is coming out of the UK, US and Europe, those numbers may soon skyrocket. Meanwhile attackers grab IoS toys by the bushel and mount attacks from unsuspecting households the world over, without giving the merest thought even to the existence of TOR.

              Oh, the Germans "closed" lots of highways, blowing up bridges etc. Somehow Berlin still fell.

              (FTR, my hacking experience is very limited, a little bit of showing friends/customers how shit their router is or how easily breakable some of their other "security" has been - and a few checks of bug reports to test if my systems are (still) vulnerable)

              1. Anonymous Coward
                Anonymous Coward

                Re: Err, not yet.

                As I said, if you cannot beat off the attacks from TOR, you cannot beat of other attacks. And while you're pissing your panties over the "obvious" attack attempts from one source, you're completely oblivious to attacks from others.

                By what Trumpian twist of facts did you arrive at a conclusion that I ever stated that we only focused on Tor nodes? Try not to put words in my mouth. Tor nodes are simply part of the traffic we have to defend against, but my point was that Tor nodes seem to originate hacking attempts almost exclusively, and never feature anyone attempting to access a site for just doing what the site is for. From our analysis, it means that traffic from a Tor node can this be dropped without even bothering to examine it further, unlike, for instance, traffic that originated from the US.

                We have as yet not been hacked. That's no reason to get cocky (hence the "as yet"), but it suggests we're doing OK and part of that is because we secure and monitor the whole stack, not just 404s and not just automated (and that includes the ever more needed DDoS defences, which is why Windows and IoT piss me off something rotten). Part of the brief of my team is to keep their manual skills sharp too, so there is a rotation where everyone gets to test things manually, read log files and also run a test recovery of a site (checks that the backups are working). And no, we don't trust anyone - for the private side of things (personal details and financials) we have a DMZ proxy process and 4 eyes login on the core so people can prove they've done things correctly if things do go pear shaped.

                We've been online from when the Internet was still accessed with 9600bd modems..

    3. Kiwi
      Boffin

      Re: Err, not yet.

      1 - First of all, a route through Tor means you won't get to many websites that now screen against it (which includes mine). The reason for that is simple: in 10 years worth of website traffic analysis, I don't even get to 0.01% of traffic from Tor that is benign.

      And what about normal stuff? I can say without a doubt that even at the highest amount of legit customers/site/day the vast majority of the traffic hitting my systems was either attempts to breach or some other attack on the servers, and the only TOR traffic I saw was from me when I was wanting to look at some things from "outside" the local network (or a couple of times when I'd tripped my own security and had my IP blacklisted and needed to reset things). Most of my traffic (over 70% I believe) was attack traffic, all of it from legit IP's.

      As more people start to use TOR and VPN's, you will have to choose - lose customers or allow them through.

      2 - I am *extremely* reluctant to use any "security" product if I don't know who is behind it, and by that I don't mean names and mugshots of developers and people, [..] after which you can look them up in the business register but that shouldn't be something I have to work for, that should be right there on the website.

      No. If you're as "reluctant" as you claim, you should be doing the legwork yourself. Anyone can put any characters they want onto a website they own. If they wish to put false details onto that website then unless you take some time to hunt deeper, you'll only see who they want you to see. If you trust they enough to trust that all of their people are who they say they are, then you might as well not read their site further because you'll also trust them when they say "We properly annonymise your data and never sell it on, honest!" without taking any further steps to verify.

      2a - apropos privacy policy. They use Google Analytics, and seem to believe Google's assertion that it respects privacy.

      Now that we can agree on. How can you trust someone who claims to respect or help protect privacy if there is any google JS on their site? Especially the analtics.

      I can also agree with your point 3.

      1. Anonymous Coward
        Anonymous Coward

        Re: Err, not yet.

        No. If you're as "reluctant" as you claim, you should be doing the legwork yourself. Anyone can put any characters they want onto a website they own. If they wish to put false details onto that website then unless you take some time to hunt deeper, you'll only see who they want you to see. If you trust they enough to trust that all of their people are who they say they are, then you might as well not read their site further because you'll also trust them when they say "We properly annonymise your data and never sell it on, honest!" without taking any further steps to verify.

        Tomato, tomahto - when they state something on the site and it checks out (yes, I agree, always check), you have a statement and confirmation of veracity. If they don't say anything they raise the question why they make you work for it. "Do NOT trust and verify" is one of our core principles when running an audit for clients.

        As I said before, I like the idea but our bar of accepting claims of security lie high and privacy is an easy word to bandy around. What I like is that they did pick up comments and responded sensibly* (read: without attempting to snow the issues raised) because that shows the sort of intent we like.

        I may get in touch at some point.

        * Sensible except their use of Google analytics - it's not rocket science to find a local tool to achieve the same and using Google is a bit like putting a large, bright neon sign "This one is interested in VPNs" on all IP addresses that hit the site. Getting customer protection right is hard - lots and lots of variables to control.

  14. Zap

    Lifetime VPN $30 to $40

    I like the idea of the box but they are nuts if they think I am paying that mch!

    Of course there is a totally free option which is to use Opera with built in VPN.

    However, if you use Facebook (or any page with an FB share button), Google (or any page with Google Plus share or Google ads, or Google Analytics or Google Tag Manager). You are sharing your habits with a profile. That profile is offten hidden in flash setup files so if you delete your cookies they can link it back to your profile.

    In Firefox you can use ghostery, uBlock Origin, Cookie Controller and Better Privacy to inhibit these spies.

    On Black Friday I got this stack social deal for $29.99 less a code which took it to $22

    https://stacksocial.com/sales/vpn-unlimited-lifetime-subscription

    They do not say who it is from, it is some Russian outfit (eek) called KeepSolid, reviewed here:

    http://www.techradar.com/reviews/pc-mac/software/utilities/keepsolid-vpn-unlimited-1325618/review

    http://uk.pcmag.com/vpn-unlimited/78538/review/keepsolid-vpn-unlimited

    They do NOT support Torrents on all their servers.

    1. JCitizen
      Holmes

      Re: Lifetime VPN $30 to $40

      A good read at the Electronic Frontier Foundation, may help folks who don't know what you are talking about.

    2. Anonymous Coward
      Anonymous Coward

      Re: Lifetime VPN $30 to $40

      I like the idea of the box but they are nuts if they think I am paying that much!

      That's actually on the low side for privacy, but the issue is that they're not really offering privacy, they're offering security measures. Not that that is a bad thing, but always consider what you do in context of the laws you are subjected to, and what your supplier is subject to or you will discover that you may have a dependency on something that isn't helping all that well. Both Lavabit and Silent Circle discovered that attempting to ignore the law is not a very good idea (being in the US is a lot worse for a service provider than being in Ireland, trust me on this).

      Now, back to price, it depends on what price you put on privacy or even better, examine the costs of it failing..

  15. JLV

    extra info, please?

    Actually, what exactly are the new regulations allowing ISPs to do?

    Someone was talking about the Kickstarter campaigns to buy Trump's and other Congress folks' internet history. To which someone replied that the law does not allow ISPs to sell individually-identifiable, rather than aggregate, info*.

    Which sounds reasonable, except that I wonder how ISPs are to profit from "anonymous browsing data". I.e. as far as I can tell, there are two ways to directly make advertising money off browsing habits.

    Let's say you are looking at new cars. ATT can:

    1. Sell the data onto third parties, with email and sundry, individual info. This will allow those 3rd parties, like Ford, to send you, Joe Schmoe, spam or perhaps serve you ads when they recognize your IP or whatnot. In this maybe, ATT does not sell all your browsing habits. But it does tell Ford which of its customers are looking at cars and your info is part of that lump.

    2. Become an ad broker, like Google. In this model, ATT would not have to tell anyone that you are in the market for new cars. They'd just enter into a deal with Ford to show ads, somehow, when you are on various webpages. That's the Google and FB model. Not great, for those who don't like ads, but at least your car fetishes are only known to ATT, rather than disseminated throughout the known universe.

    So, do the new regulations allow for identifying info, such as IP/email/name to be sold on to 3rd parties, along with the relevant browsing habits? Or did I miss another way for ISPs to make $$$, wo providing your identity?

    * re. the Kickstarter - Trump, Pai and the congress guys will probably get the taxpayer to foot their bill for a non-intrusive ISP service, government confidentiality oblige. So no go anyway.

  16. Mage Silver badge

    Comparison

    How does it compare with customising Openwrt on a router?

    Can a VPN server be set up on regular Linux hosting so only your (possibly German or other non-USA) hosting company and their peering know about your hosted VPN traffic to public internet? Like you don't need Tor, just a non-USA access point if you are in the USA?

    1. Kiwi

      Re: Comparison

      Can a VPN server be set up on regular Linux hosting so only your (possibly German or other non-USA) hosting company and their peering know about your hosted VPN traffic to public internet?

      I've been looking into setting up my own VPN (on a Pi-shaped device) recently for purposes so eg you could "safely" use your smartphone with someone else's free WiFi, "safe" in the knowledge that all traffic will be diverted through your own home connection.

      I haven't actually gone that far with it yet BUT I have come across numerous tutorials for setting up a VPN with various services. If you're able to install software (and maybe even just some heavy PHP) on the system you should be able to set up a VPN on it much like if it was at home. You'd just have to pay for the machine use and the traffic, as normal with these things.

      I'd hazard a guess someone's got a PHP way for you to HTTPS into a web page and have the server grab the resulting page you type into an address bar in the page - much the same as various page speed tests and other stuff would do. Been a long time since I played with PHP and I haven't looked for something like that as yet, so I am only guessing.

      HTH

      1. Suricou Raven

        Re: Comparison

        "I'd hazard a guess someone's got a PHP way for you to HTTPS into a web page and have the server grab the resulting page you type into an address bar in the page"

        You mean a CGI proxy. Common services, funded by the adverts they insert into the page - much beloved by school students, as they can be used to get around the web filter and access games. I won't link any here, but it's about thirty seconds on google to find one. I'm sure the free ones log everything though.

        1. Kiwi

          Re: Comparison

          "I'd hazard a guess someone's got a PHP way for you to HTTPS into a web page and have the server grab the resulting page you type into an address bar in the page"

          You mean a CGI proxy.

          I'd forgotten those things even existed!

          But no, what I was meaning was PHP code you could install on your own server (hosted or otherwise) that would give you very much the same thing. Of course, if you can install CGI on your own/hosted server, that'd probably work reasonably well. Not sure I'd want to do it on "free" hosting systems though.

          Something like http://www.phpkode.com/scripts/item/cecid-censorship-circumvention-device/ is close to what I am referring to.

  17. h3nb45h3r

    I bought one ages ago.

    I bought one when it was on Indiegogo, it great because now I have an easy method to pop out in Los Angeles and listen to KROQ, who geo-block web listeners. It's also very convenient for providing some form of protection when using public Wi-Fi networks in hotels etc.

    If you fell the alphabet agencies are after you, to be honest, they'll go after you laptop or phone. I'm all for personal internet security, but let's bring this into perspective, this device is merely aimed at being part of your security, if you want one device that removes any risk for you data and internet usage, go and invent it, one simply doesn't exist. If you don't trust it, don't buy one. This product, for me, is about aiding in protecting me in public locations where I use public Wi-Fi hotspots, and as the reveiw said, it's very easy to use. The other alternative is to use my 4G allowance, that is no way a safer alternative.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022