Anything along these lines?

Some if the cradlepoint boxes do

Any thoughts on these guys?

http://www.tinyhardwarefirewall.com

Couple of questions. Where is the other endpoint of the VPN tunnel it uses. If it's controlled by the company selling these things or another entity, why should you trust them to not monitor/log your traffic?

Looks like it can also be set up to use Tor. You really want to talk about drawing attention to your network traffic, by all means send everything through Tor. Exit nodes are routinely monitored/run by all sorts of shady individuals and government entities.

I don't want to use TOR, but I like the idea of a firmware VPN - if nothing else, it's simple, but I'm quite open to other suggestions

Any reason you aren't just running something like PrivateInternetAccess on your computer? Then it doesn't matter what kind of hotspot you get on, you'll be encrypted between you and the PIA server.

You just have to make sure you are connected to PIA before you do anything on the internet.

Thank you. Not sure how much good it does, but it was certainly painless to use

quote:

---

Looks like it can also be set up to use Tor. You really want to talk about drawing attention to your network traffic, by all means send everything through Tor. Exit nodes are routinely monitored/run by all sorts of shady individuals and government entities.

---

But that's why you create a different persona and don't mix your regular persona with your TOR persona. I think the SilkRoad dude got caught because he mixed personas. And I think there was a Firefox vulnerability, but I think using a VM you delete and restore from image after each session would reduce that risk.

I think using TOR is fine in conjunction with other things like good practices and a VPN. But it also comes down to what you are doing with it. Just wanting to be safe at Starbucks? VPN. Wanting to appear to be in a different country? VPN. Wanting to remain private? I think the additional layers of obfuscation that TOR provides is beneficial.

Of course this should only be used for legal purposes where you just want to remain private.

quote:

---

But that's why you create a different persona and don't mix your regular persona with your TOR persona. I think the SilkRoad dude got caught because he mixed personas. And I think there was a Firefox vulnerability, but I think using a VM you delete and restore from image after each session would reduce that risk.

I think using TOR is fine in conjunction with other things like good practices and a VPN. But it also comes down to what you are doing with it. Just wanting to be safe at Starbucks? VPN. Wanting to appear to be in a different country? VPN. Wanting to remain private? I think the additional layers of obfuscation that TOR provides is beneficial.

Of course this should only be used for legal purposes where you just want to remain private.

---

I get what you're saying, and yes, the Silk Road guy got busted because he messed up and basically gave the authorities a piece of information that linked his obfuscated online identity to his real identity. In the OP's case (and based on the 10+ other threads he's started recently), I think he's more concerned with keeping his data secure from eavesdroppers and exploits that might exist when going about his daily life, occasionally using public wifi at a coffee shop or wherever (aka not wanting/willing to maintain a separate online persona and most likely not trying to cover his tracks from shady/illegal activity).

I have concerns with things that I commonly see recommended on threads like this one (mainly, the use of a public VPN service and/or Tor), and I think a lot of it really stems from the general public's lack of understanding of what those technologies are designed to do, including opening up new vulnerabilities and attack vectors that many folks don't consider when they're leaned on as catch-all problem solvers.

Let's start with VPN. At the end of the day, a VPN is nothing more than a tunneling mechanism that encapsulates (and usually encrypts) your traffic between two endpoints. It's great if you want secure access into a network (like your company) that wouldn't ordinarily be available outside a firewall, for example. This is a situation where you would generally trust the entity that set up the VPN tunnel (your company) and also the network in which the endpoint of the VPN resides (your company's network).

Now let's shift over to free or paid public VPN services on the internet. Keep in mind that when you use a VPN, you're passing all of your network traffic through the endpoint on the other side of the tunnel (meaning that, if they wanted to, the operator of the VPN could monitor/log all of your traffic). Now, in reality, that would still be of limited use if all of your sensitive information is passed to its final destination via secure protocols like HTTPS, SSH, etc. However, there's still enough plaintext data passed around during the course of everyday web browsing that most people probably aren't as anonymous as they think if their network traffic is really under a microscope (not limited to but including logging of which sites/services are accessed, even if the payload content of exchanges is encrypted using higher-level protocols). There was a thread started the other day on here about a new free VPN service run by Opera, and then it was quickly mentioned that Opera was now controlled by a Chinese company. Red flags, much?

Now on Tor. Great for two things... keeping your physical location completely private via its system of bouncing encrypted traffic between intermediate nodes before reaching an exit node, and accessing "dark web" sites (not that you'd really want to) where the server itself is running an instance of the Tor client such that it can only be accessed by other Tor nodes. When talking about using Tor in the context of everyday browsing to access non-Tor sites, the only benefit provided is that your location remains anonymous. The use of Tor comes with the same warning of public VPN services, in that you'd better really trust who's running the network. In the case of Tor, anyone can stand up an exit node which serves as the gateway between the encrypted Tor network and the regular internet. Operators of exit nodes are free to monitor traffic (including plaintext traffic to/from end users if secure protocols are not being used). They won't know where I am, but they are certainly free to see me send/receive "Mary had a little lamb" via insecure protocols like regular HTTP. This becomes a problem when that plaintext data might hold sensitive information or, even in the strict case of ciphertext exchanges, patterns of activity that could be used to drive further probing and targeted exploits, not necessarily against the user of the laptop at Starbucks, but against the sites/services that are being accessed.

For an example of that, consider the thought process of a nefarious operator of a Tor exit node (keeping in mind that the barrier to entry on running an exit node is zero). "Hey, someone on Tor is continually logging into secure webmail hosted at mail.xyzlawfirm.com. I can't directly read their mail since everything is being exchanged over HTTPS, but I wonder what's so sensitive about what they're doing and why they feel the need to use Tor. Maybe I'll flag this one and see what exploits I can run against their servers later."

My first question to anyone using Tor or a public VPN service is, "why do you trust the operator of the VPN, and/or any random person off the street who might be running a Tor exit node, to not log and attempt to analyze your traffic?" Beyond that, if you're dead-set on using them, are you disciplined enough to make sure that your applications are all using secure protocols and, beyond that, not inadvertently drawing extra attention to yourself and your network traffic that might end up making you or the services you connect to a more interesting target?

So what do I do personally, given that I travel quite a bit and am forced to use public wifi in airports, hotels, etc? I run an OpenVPN server on a machine at my house and always connect through it when I'm on the road. I've taken steps to reach a reasonable level of confidence that my home network is secure, so the endpoint of the VPN that I use is considered to be inside of a secure perimeter that's not controlled by any third parties. Traffic to/from the internet then leaves my house via my ISP, which is then beyond my control but at least I'm not advertising to the world (via a Tor exit node, for example) that my data is "special" and deserves a closer look. The guy sitting at Starbucks doing packet captures with Wireshark on his laptop sees AES-256 encrypted VPN packets leaving my laptop heading toward the public IP of my cable modem back home. He's free to use that destination IP to see if anything can be exploited, but again, I control the network back home, have taken measures to ensure that it's secure, and am not reliant on third parties to lock down any obvious non-backbone choke points where all of my data is being funneled.

Now, if you see a van parked outside your house hooked up to your DSL line with alligator clips, I can't help you.

akagg basically have it right. People think VPN is some magic security device. It is no such thing when the exit is the public internet. It allows you to appear to be located other than where you are physically but really no more. All the standard browser exploits and drive by downloads work just fine through VPN. And there are some strategies to correlate input encrypted packets to exit packets if you are really worth targeting by a TLA. The up side to TOR is that your exit node changes often. This prevents a single bad actor from stringing together much of your conversation, but remember a long lived connection has to use the same exit for its lifetime. So you still should be using TLS for things like POP, IMAP, SMTP, SSH and not ever be using things like telnet.
Several TOR issues exist, one being that its easy for a well funded bad actor to create a large number of exit nodes. I am absolutely sure that nation/states own huge numbers, and some likely share information, but unlikely that china/PLA shares with US/NSA. The current worry about firefox is that the US gubment has found something they can poke and the browser will give up its real address. It seems that the government is willing to drop some suits if the judge sides with Mozilla and them to give up their exploit.
But basically VPN is designed to traverse the wild internet between two trusted parties. You laptop hopefully you can trust, and your employer/home network which hopefully can also be trusted. But when use for other functions, its likely not providing any where near the protection people think they are getting by using one.
The silk road guy basically got found out by asking a question about how to do something in PHP using both his public and hidden persona. Busted.
If you want to appear to be in UK so you can watch BBC or you are in Europe and want to watch you American Netfix public vpn are useful. Public VPN's for security, not very useful at all.

So, back to... Well, he'll in the Telegraph era most companies used ciphers/code books...

US mail at least requires a warrant - I realize someone might manage to intercept mail, but it means risking serious jail time and, by definition, being under US Jurisdiction - and, as an attorney, odds are no one would ever get a warrant...

quote:

---

So, back to... Well, he'll in the Telegraph era most companies used ciphers/code books...

US mail at least requires a warrant - I realize someone might manage to intercept mail, but it means risking serious jail time and, by definition, being under US Jurisdiction - and, as an attorney, odds are no one would ever get a warrant...

---

So it is all about trust, right? If you trust a provider like protonmail, you can use their endtoend encryption. If not, use your own encryption like pgp for emails. That then requires your other party to be able to use whatever encryption for email.

I like akaggies write-up. There are lots of tools, but you have to find the one that works for your application. I don't mind a free public VPN for my purposes because my requirements are pretty low. I just don't want my ISP to know I am using TOR.

Your requirements are pry greater. Concerned about malicious hackers. Guys that might be able to pwn a box or sniff traffic, but aren't compromising the entire internet. Trusting your providers is important.

If you are worried about nation state actors, being an American and using US providers provides you your protection against the US government (cue Snowden posts). Beyond that, you can do things, but someone with time and money will usually win.

Just heard about this pretty cool open-source project. It lets you stand up your own VPN server on one of the many VPS providers out there.

https://github.com/jlund/streisand