Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/03/breaking_the_an.html
Researchers have exploited a flaw in the cryptocurrency Monero to break the anonymity of transactions.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/03/breaking_the_an.html
Researchers have exploited a flaw in the cryptocurrency Monero to break the anonymity of transactions.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/03/hijacking_compu.html
Interesting paper “A first look at browser-based cryptojacking“:
Post Syndicated from Ernesto original https://torrentfreak.com/microsoft-poisoned-torrent-client-triggered-coin-miner-outbreak-180315/
First released in 2010, MediaGet has been around for a while. Initially, the torrent client was available in Russian only, but the team later expanded its reach across the world.
While it’s a relatively small player, it has been installed on millions of computers in recent years. It still has a significant reach, which is what Microsoft also found out recently.
This week the Windows Defender Research team reported that a poisoned version of the BitTorrent client was used to start the Dofoil campaign, which attempted to offload hundreds of thousands of malicious cryptocurrency miners.
Although Windows Defender caught and blocked the culprit within milliseconds, the team further researched the issue to find out how this could have happened.
It turns out that the update process for the application was poisoned. This then enabled a signed version of MediaGet to drop off a compromised version, as can be seen in the diagram below.
“A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability,” Microsoft’s team explains.
The malicious MediaGet version eventually triggered the mass coin miner outbreak. Windows Defender Research stresses that the poisoned version was signed by a third-party software company, not MediaGet itself.
Once the malware was launched the client built a list of command-and-control servers, using embedded NameCoin DNS servers and domains with the non-ICANN-sanctioned .bit TLD, making it harder to shut down.
MediaGet informs TorrentFreak that hackers compromised the update server to carry out their attack.
“Hackers got access to our update server, using an exploit in the Zabbix service and deeply integrated into our update mechanics. They modified the original version of Mediaget to add their functionality,” MediaGet reveals.
The company says that roughly five percent of all users were affected by the compromised update servers. All affected users were alerted and urged to update their software.
The issue is believed to be fully resolved at MediaGet’s end and they’re working with Microsoft to take care of any copies that may still be floating around in the wild.
“We patched everything and improved our verification system. To all the poisoned users we sent the message about an urgent update. Also, we are in contact with Microsoft, they will clean up all the poisoned versions,” MediaGet concludes.
We’re relentlessly innovating on your behalf at AWS, especially when it comes to security. Last November, we launched Amazon GuardDuty, a continuous security monitoring and threat detection service that incorporates threat intelligence, anomaly detection, and machine learning to help protect your AWS resources, including your AWS accounts. Many large customers, including General Electric, Autodesk, and MapBox, discovered these benefits and have quickly adopted the service for its ease of use and improved threat detection. In this post, I want to show you how easy it is for everyone to get started—large and small—and discuss our rapid iteration on the service.
After more than seven years at AWS, I still find myself staying up at night obsessing about unnecessary complexity. Sounds fun, right? Well, I don’t have to tell you that there’s a lot of unnecessary complexity and undifferentiated heavy lifting in security. Most security tooling requires significant care and feeding by humans. It’s often difficult to configure and manage, it’s hard to know if it’s working properly, and it’s costly to procure and run. As a result, it’s not accessible to all customers, and for those that do get their hands on it, they spend a lot of highly-skilled resources trying to keep it operating at its potential.
Even for the most skilled security teams, it can be a struggle to ensure that all resources are covered, especially in the age of virtualization, where new accounts, new resources, and new users can come and go across your organization at a rapid pace. Furthermore, attackers have come up with ingenious ways of giving you the impression your security solution is working when, in fact, it has been completely disabled.
I’ve spent a lot of time obsessing about these problems. How can we use the Cloud to not just innovate in security, but also make it easier, more affordable, and more accessible to all? Our ultimate goal is to help you better protect your AWS resources, while also freeing you up to focus on the next big project.
With GuardDuty, we really turned the screws on unnecessary complexity, distilling continuous security monitoring and threat detection down to a binary decision—it’s either on or off. That’s it. There’s no software, virtual appliances, or agents to deploy, no data sources to enable, and no complex permissions to create. You don’t have to write custom rules or become an expert at machine learning. All we ask of you is to simply turn the service on with a single-click or API call.
GuardDuty operates completely on our infrastructure, so there’s no risk of disrupting your workloads. By providing a hard hypervisor boundary between the code running in your AWS accounts and the code running in GuardDuty, we can help ensure full coverage while making it harder for a misconfiguration or an ingenious attacker to change that. When we detect something interesting, we generate a security finding and deliver it to you through the GuardDuty console and AWS CloudWatch Events. This makes it possible to simply view findings in GuardDuty or push them to an existing SIEM or workflow system. We’ve already seen customers take it a step further using AWS Lambda to automate actions such as changing security groups, isolating instances, or rotating credentials.
Now… are you ready to get started? It’s this simple:
As soon as you enable the service, it immediately starts consuming multiple metadata streams at scale, including AWS CloudTrail, VPC Flow Logs, and DNS logs. It compares what it finds to fully managed threat intelligence feeds containing the latest malicious IPs and domains. In parallel, GuardDuty profiles all activity in your account, which allows it to learn the behavior of your resources so it can identify highly suspicious activity that suggests a threat.
The threat-intelligence-based detections can identify activity such as an EC2 instance being probed or brute-forced by an attacker. If an instance is compromised, it can detect attempts at lateral movement, communication with a known malware or command-and-control server, crypto-currency mining, or an attempt to exfiltrate data through DNS.
Where it gets more interesting is the ability to detect AWS account-focused threats. For example, if an attacker gets a hold of your AWS account credentials—say, one of your developers exposes credentials on GitHub—GuardDuty will identify unusual account behavior. For example, an unusual instance type being deployed in a region that has never been used, suspicious attempts to inventory your resources by calling unusual patterns of list APIs or describe APIs, or an effort to obscure user activity by disabling CloudTrail logging.
Our obsession with removing complexity meant making these detections fully-managed. We take on all the heavy lifting of building, maintaining, measuring, and improving the detections so that you can focus on what to do when an event does occur.
When we launched at the end of November, we had thirty-four distinct detections in GuardDuty, but we weren’t stopping there. Many of these detections are already on their second or third continuous improvement iteration. In less than three months, we’ve also added twelve more, including nine CloudTrail-based anomaly detections that identify highly suspicious activity in your accounts. These new detections intelligently catch changes to, or reconnaissance of, network, resource, user permissions, and anomalous activity in EC2, CloudTrail, and AWS console log-ins. These are detections we’ve built based on what we’ve learned from observed attack patterns across the scale of AWS.
The intelligence in these detections is built around the identification of highly sensitive AWS API calls that are invoked under one or more highly suspicious circumstances. The combination of “highly sensitive” and “highly suspicious” is important. Highly sensitive APIs are those that either change the security posture of an account by adding or elevating users, user policies, roles, or account-key IDs (AKIDs). Highly suspicious circumstances are determined from underlying models profiled at the API level by GuardDuty. The result is the ability to catch real threats, while decreasing false positives, limiting false negatives, and reducing alert-noise.
As we like to say in Amazon, it’s still day one. I’m excited about what we’ve built with GuardDuty, but we’re not going to stop improving, even if you’re already happy with what we’ve built. Check out the list of new detections below and all of the GuardDuty detections in our online documentation. Keep the feedback coming as it’s what powers us at AWS.
Now, I have to stop writing because my wife tells me I have some unnecessary complexity to remove from our closet.
If you have feedback about this blog post, submit comments in the “Comments” section below. If you have questions about this blog post, start a new thread on the Amazon GuardDuty forum or contact AWS Support.
Post Syndicated from Ernesto original https://torrentfreak.com/vpn-services-keep-anonymous-2018/
Using a VPN service is a great way to protect your privacy online.
However, not all VPN services are as private as you might think. In fact, some are known to keep extensive logs that can easily identify specific users on their network.
This is the main reason why we publish a yearly VPN review, asking providers about their respective logging policies as well as other security and privacy aspects.
It’s worth keeping in mind though that not all VPN protocols and encryption algorithms are equally secure. PPTP is known to be vulnerable for example, and pre-shared keys are also a risk. We ask all VPN providers what their best recommendation is, but we encourage readers to fully research all options.
This year’s questions are as follows:
1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?
2. What is the name under which your company is incorporated, and under which jurisdiction does your company operate?
3. What tools are used to monitor and mitigate abuse of your service, including limits of concurrent connections if these are enforced?
4. Do you use any external email providers (e.g. Google Apps), analytics, or support tools ( e.g Live support, Zendesk) that hold information provided by users?
5. In the event you receive a DMCA takedown notice or a non-US equivalent, how are these handled?
6. What steps are taken when a court orders your company to identify an active or past user of your service? How would your company respond to a court order that requires you to log activity going forward? Has any of this ever happened?
7. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?
8. Which payment systems/providers do you use? Do you take any measures to ensure that payment details can’t be linked to account usage or IP-assignments?
9. What is the most secure VPN connection and encryption algorithm you would recommend to your users?
10. Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?
11. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Do you use your own DNS servers? (if not, which servers do you use?)
12. What countries are your servers physically located? Do you offer virtual locations?
Below is the list of responses from the VPN services in their own words. These are not endorsements and trust is crucial. Providers which didn’t answer our questions directly, blocked certain traffic, or are logging extensively were excluded. We specifically chose to leave room for detailed answers where needed. The order of the list holds no value.
1. We do not store any logs relating to traffic, session, DNS or metadata. We do not keep any logs for any person or entity to match an IP address and a timestamp to a user of our service. In other words, we do not log, period. Privacy is our policy.
2. Private Internet Access is operated by London Trust Media, Inc., with branches in the US and Iceland, which are a few of the countries that still respect privacy and do not have a mandatory data retention policy.
3. We have an active, proprietary system in place to help mitigate abuse.
4. At the moment we are using Google Apps Suite and Zendesk. However, we are in the process of migrating our support to Deskpro, an in-house self-hosted solution.
5. We do not monitor our users, and we keep no logs, period. That said, we do have an active, proprietary system in place to help mitigate abuse.
6. Every court order is scrutinized to the highest extent for compliance with both the “spirit” and “letter of the law.” We do periodically receive subpoenas from law enforcement agencies that we scrutinize for compliance and respond accordingly. This is all driven based upon our commitment to privacy. All this being said, we do not log and do not have any data on our customers other than their signup e-mail and account username.
7. Yes, BitTorrent and file-sharing traffic are allowed and treated equally to all other traffic (although it’s routed through a second VPN in some cases). We do not censor our traffic because we believe in an open internet, period.
8. We utilize a variety of payment systems, including, but not limited to: PayPal, Credit Card (with Stripe), Amazon, Google, Bitcoin, Bitcoin Cash, Zcash, CashU, PaymentWall, and any major store-bought gift card and OKPay. Payment data is not linked nor linkable to user activity do to our no logs policy.
9. At the moment, the most secure and practical VPN connection and encryption algorithm that we recommend to our users would be our cipher suite of AES-256 + RSA4096 + SHA256.
10. Yes, our users gain access to a plethora of additional tools, including but not limited to:
(a) Kill Switch: Ensures that traffic is routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic will not route.
(b) IPv6 Leak Protection: Protects clients from websites which may include IPv6 embeds, which could lead to IPv6 IP information coming out.
(c) DNS Leak Protection: This is built-in and ensures that DNS requests are made through the VPN on a safe, private, no-log DNS daemon.
(d) Shared IP System: We mix clients’ traffic with many other clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.
(e) MACE™: Protects users from malware, trackers, and ads.
11. We utilize our own bare metal servers in third-party data centers that are operated by trusted friends and, now, business partners whom we have met and on which we have completed serious due diligence. Our servers are located in facilities including 100TB, Choopa, Leaseweb, among others.
We also operate our own DNS servers on our high throughput network. These servers are private and do not log.
12. As of the beginning of 2018, we operate 3172 servers across 43 locations in 28 countries. For more information on what countries are available, please visit our network information page. All of our locations are physical and not virtualized.
1. We do not keep any logs nor timestamps that could allow our customers to be identified.
2. The registered company name is Tefincom co S.A., and it operates under the jurisdiction of Panama.
3.We have developed and implemented an automated tool that limits the maximum number of connections to six devices. We do not use any other tools.
4. We use Google Analytics and third-party ticket/live chat tools (Zendesk/Zopim). Google Analytics is used to improve our website and provide our users with the most relevant information. The ticket/live chat tool is used to provide the best support in the industry (available 24/7), but not tracking our users by any means.
5. We operate under Panama’s jurisdiction, where DMCA and similar orders have no legal bearing. Therefore, they do not apply to us.
6. If the order or subpoena is issued by a Panamanian court, we would have to provide the information if we had any. However, our zero-log policy means that we don’t have any information about our users’ online activity. So far, we haven’t had any such cases.
7. Yes, we allow P2P traffic. We have optimized a number of our servers specifically for file-sharing; this way, we ensure that other servers, which are meant for streaming and other purposes, have uninterrupted speeds.
8. Our customers are able to pay via credit card, PayPal and Bitcoin. Our payment processing partners collect basic billing information for payment processing and refund requests, but it cannot be related to any Internet activity of a particular customer. Bitcoin is the most anonymous option, as it does not link the payment details with the user identity or other personal information.
9. The ciphers we use along with the OpenVPN and IKEv2/IPSec protocols have never been cracked. Therefore, both of these protocols are highly secure. For OpenVPN connection, we use the AES 256 CBC algorithm. IKEv2/IPSec ciphers used to generate Phase1 keys are AES-256-GCM for encryption, coupled with SHA2-384 to ensure integrity, combined with PFS (Perfect Forward Secrecy) using 3072-bit Diffie Hellmann keys.
10. Yes, we do provide both an automatic kill switch and a feature for DNS leak protection.
11. We use a hybrid model, whereby we control some of our servers but also partner with premium data centers with strong security practices. Due to our special server configuration, no one is able to collect or retain any data, ensuring compliance with our no-logs policy. We also have specific requirements for network providers to ensure highest service quality for our customers. We do have our own DNS servers, and all DNS requests go through those.
12. All of our servers are dedicated and located in the same countries we state they are – we do not offer virtual locations. At the moment, NordVPN provides more than 3000 servers in 59 countries. Full location list can be found at nordvpn.com/servers.
1. No, ExpressVPN doesn’t keep any connection or activity logs, including never logging browsing history, data contents, DNS requests, timestamps, source IPs, outgoing IPs, or destination IPs. This ensures that we cannot ascertain whether a given user was connected to the VPN at a certain time, assumed a particular outgoing IP address, or generated any specific network activity. It is not possible to match a user to data points that we never possess.
2. Express VPN International Ltd. is a BVI (British Virgin Islands) company. Being under BVI jurisdiction helps to protect user privacy, as the BVI has no data retention laws, is not party to any 14 Eyes intelligence sharing agreements, and has a dual criminality provision that safeguards against legal overreach.
3. To protect our customers’ privacy, we do not monitor or log any user activity on our network. We do however reserve the right to block specific abusive traffic to protect the server network and other ExpressVPN customers. With regards to limits on the number of devices simultaneously connected, no timestamps or IP addresses are ever logged; our systems are merely able to identify how many active sessions a given license has at a given moment in time and use that counter to decide whether a license is allowed to create one additional session. This counter is temporary and is not tracked over time.
5. As we do not keep any data or logs that could link specific activity to a given user, ExpressVPN does not identify or report users as a result of DMCA notices. User privacy and anonymity are always preserved.
6. Legally our company is only bound to respect subpoenas and court orders when they originate from the British Virgin Islands government or in conjunction with BVI authorities via a mutual legal assistance treaty. As a general rule, we reply to law enforcement inquiries by informing the investigator that we do not possess any data that could link activity or IP addresses to a specific user. Regarding a demand that we log activity going forward: Were BVI law enforcement ever to make such a request, we would refuse to re-engineer our systems in a way that infringes on the privacy protections that our customers trust us to uphold.
7. We do not believe in restricting or censoring any type of traffic. ExpressVPN allows all traffic, including BitTorrent and other file-sharing traffic (without re-routing), from all of our VPN servers.
8. ExpressVPN accepts all major credit cards, PayPal, and a large number of local payment options. We also accept Bitcoin, which we recommend for those who seek maximum privacy with relation to their form of payment. As we do not log user activity, IP addresses, or timestamps, there is no way for ExpressVPN or any external party to link payment details entered on our website with any VPN activities.
9. ExpressVPN apps generally default to our recommended protocol for security and performance: OpenVPN UDP. Our apps use a 4096-bit CA, AES-256-CBC encryption, TLSv1.2, and SHA512 signatures to authenticate our servers.
10. Yes, ExpressVPN protects users from privacy and security leaks in a number of ways (for more info about leak protection, see our Privacy Research Lab). Our “Network Lock” feature, which is turned on by default, prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when your internet connection drops or in various additional scenarios where other VPNs might leak.
11. Our VPN servers are hosted in trusted data centers with strong security practices. The data center employees do not have server credentials, and the server disks are fully encrypted to mitigate risks from physical seizure. Our policy of not collecting activity or connection logs also means that servers do not contain any data that could map users to specific activity.
We run our own logless DNS on every server, meaning no personally identifiable data is ever stored. We do not use third-party DNS.
12. ExpressVPN has over 2,000 servers covering 94 countries. For more than 97% of these servers, the physical server and the associated IP addresses are located in the same country — a physical footprint covering every continent save Antarctica, ensuring there are server locations near all users.
For countries where it is difficult to find servers that meet ExpressVPN’s rigorous standards for server security, reliability, and speed, we use virtual locations to still make it possible for users to assume IP addresses from those countries. These locations represent less than 3% of ExpressVPN’s server count, and the specific countries are published on our website here.
1. No logs are retained that would allow the correlation of the user’s IP address to a VPN address. The session database does not include the origin IP address of the user. Once a connection has been terminated the session information is deleted from the session database.
2. The name of the company is PrivActually Ltd which operates out of Cyprus.
3. Real abuse is mitigated by meatware [humans]. User traffic is not monitored or inspected in any way. TCP/IP sessions are not limited individually, but by server, to 10 million established connections. Packet floods are dealt with by using adaptive packet rate limiters at the switch port level and kick in at 90k pps. The number of concurrent connections is limited by the VPN backend software.
4. There is no visitor tracking mechanism, not even passive ones analyzing the web server logs. IPredator runs its own mail infrastructure and does not use third party products like GMail. Neither do we use data hogs like a ticket system to manage support requests. IPredator sticks to a simple mail system and deletes old data after three months from the mailboxes.
5. Requests are evaluated according to the legal frameworks set forth in the jurisdictions the service operates in and we react accordingly. After receiving a request its validity is verified. DMCA takedown abuse using fake credentials seems to be all the rage these days.
6. A canary is maintained to indicate the current legal state of affairs. In case of a court order that forces us to enable log activity we would rather shut down the service than comply.
7. BitTorrent and other file-sharing traffic is allowed.
8. PayPal, Bitcoins, Payza, and Payson are fully integrated. Other payment methods are available on request. An internal transaction ID is used to link payments to the payment processor. We do not store any other data about payments associated with the user’s account. The systems dealing with payments have no connection to the part of the infrastructure that handles VPN connections. Frontend proxies are used to make sure user IP addresses do not show up in any of the backend systems.
9. IPredator provides config files for various platforms and clients that enforce TLS1.2 on supported systems. Ideally, the client negotiates ECDHE-RSA-AES256-GCM as a suite for the control and AES256 for the data channel. For further protection, detailed setup instructions and howtos are provided to our users.
10. Netsplice, IPredator’s cross-platform VPN client, has native support for various types of kill switches. You can kill a program, just put it to sleep, shutdown your machine or wipe your hard disk … it is up to you. Users can use this page to check for a number of leaks, not just DNS leaks.
11. We own every server, switch, and cable we use to provide the VPN service up to our uplink network. The machines are located in Sweden due to the laws that allow us to run our service in a privacy-protecting manner. If the situation should change we are able to move operations to a different country. The core for any privacy service is trust in the integrity of the underlying infrastructure. Everything else has to build upon that, which includes the DNS servers.
1. No logs or timestamps are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network. In addition to a strict no logging policy we run a default shared IP configuration across all servers. Because there are no logs kept and multiple users sharing a single IP address, it is not possible to match any user with an IP and time stamp.
2. TorGuard is owned and operated by VPNetworks LLC under US jurisdiction, with our parent company VPNetworks LTD, LLC based in Nevis.
3. We utilize a number of highly customized scripts to monitor network performance and limit simultaneous connections through a radius-based authentication server.
4. We use anonymized Google Analytics data to optimize our website and Sendgrid for transactional email. TorGuard’s 24/7 live chat services are provided through Livechatinc’s platform. Customer support desk requests are maintained by TorGuard’s own private ticketing system.
5. In the event a valid DMCA notice is received it is immediately processed by our abuse team. Due to our no log and no time stamp policy and shared IP network – we are unable to forward any requests to a single user.
6. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of our shared IP network configuration and the fact that we do not hold any identifying logs or time stamps. TorGuard’s network was designed to operate with minimum server resources and is not physically capable of retaining such logs. There is no on/off switch to log activity so it would be impossible to comply with such a request. No, this has never happened.
7. Yes, BitTorrent and all P2P traffic is allowed. By default we do not block, re-route, or limit any types of traffic across our network.
8. We currently offer over 200 different payment options. This includes all forms of credit card, PayPal, Bitcoin, cryptocurrency (e.g. Litecoin, Ethereum, Monero + many more), Alipay, WeChat Pay, UnionPay, 100+ Gift Card brands, and many other worldwide local payment options. No user can be linked back to account usage or IP assignments because we maintain zero logs across our network.
9. For best security, we advise clients to use OpenVPN and select the cipher option AES-256-GCM, with 4096bit RSA and SHA512 HMAC. We use TLS 1.2 on all servers with perfect forward secrecy enabled. For faster speeds and “obfuscated” Stealth VPN access, we suggest using OpenConnect SSL VPN with cipher option AES-256-GCM. TorGuard offers a wide range of VPN protocols, including OpenVPN, iKEV2, IPsec, SSTP, OpenConnect/AnyConnect, Stunnel, and Shadowsocks.
10. TorGuard’s VPN software provides strict security features by automatically disabling IPv6 and blocking any potential DNS or WebRTC leaks. We offer a full connection kill-switch that safeguards your VPN traffic against accidental disconnects and can hard kill your interfaces if needed, and an application kill-switch that can terminate specific apps if the VPN connection is interrupted for additional safety.
11. We retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by TorGuard staff. By default, the TorGuard VPN app uses private no log DNS on each VPN endpoint. The TG also app allows clients to modify their VPN session with a custom DNS entry of their choosing.
12. TorGuard currently maintains thousands of servers in over 55 countries around the world, and we continue to expand the network each month. All servers are physically located in the stated country of origin and we do not use any virtual locations.
1. No, we do not record or store any logs related to our services. No traffic, user activity, timestamps, IP addresses, number of active and total sessions, DNS requests, or any other kind of logs are stored. System logs are disabled. Anonymity of our users is very important to us as described in our Terms of Service.
2. The registered company name is Netbouncer AB and we operate under Swedish jurisdiction where there are no data retention laws that apply to VPN providers.
3. Our servers are running using Blind Operator mode which means we took extra security steps to ensure that we cannot monitor any traffic at all. Abuses like incoming DDoS attacks are usually mitigated with UDP filtering on the source port used by an attacker.
4. No, we do not rely on and refuse to use external third-party systems. We run our own email infrastructure and encourage people to use PGP encryption. Ticketing support system, website analytics (Piwik, with anonymization settings) and other tools are hosted in-house on open-source software. We have plans to replace some of these tools by solutions developed by ourselves.
5. We politely inform the sender party that we do not keep any logs and are unable to identify a user.
6. In the case that a valid court order is issued, we will inform the other party that we are unable to identify an active user or past user of our service while running as a Blind Operator, which is preventing live analysis of traffic. In that case, they would probably force us to handover physical access to the server, which is fine since they would have to reboot to gain any kind of access, and since we are running diskless in RAM – all data will be lost. So far, we have never received any court order and no personal information has ever been given away.
7. Yes, BitTorrent, peer-to-peer and file-sharing traffic is allowed and treated equally to any other traffic on all of our locations. We strongly believe in net neutrality.
8. As of now, we propose a variety of payments options including anonymous methods such as Bitcoin, Bitcoin Cash, Litecoin, Monero, Ethereum and some other cryptocurrencies (through CoinPayments) and cash money via postal mail. We also offer PayPal, credit cards (VISA, MasterCard and American Express through Paymentwall) and Swish. We do not store sensitive payment information on our servers, we only retain an internal reference code for order confirmation.
9. We recommend our users to use our new WireGuard servers available on Linux, some routers (LEDE/OpenWRT), and soon on Android.
– Data channel cipher: CHACHA20 with POLY1305 for authentication and data integrity
– Authenticated key exchange: Noise Protocol Framework’s Noise_IKpsk2, using Curve25519, Blake2s, and CHACHA20-POLY1305, a formally verified
Otherwise, we recommend OpenVPN with default configuration available in UDP and TCP modes. These settings offer the highest grade of security achieved through OpenVPN on all of our servers:
– Data channel cipher: AES-256-GCM (OpenVPN 2.4) or AES-256-CBC with HMAC-512 for authentication and data integrity (OpenVPN 2.3)
– Control channel cipher: TLS v1.2 using TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 (AEAD)
– Authenticated key exchange: Diffie-Hellman method and Perfect Forward Secrecy (DHE) using a RSA key with a 4096 bit key size, re-keying every 120 minutes (can be lowered)
– Additional auth key: RSA with a 2048 bit key size
– Additional crypt key: RSA with a 2048 bit key size
10. We offer a new custom open-source VPN application called azclient, for all desktop platforms (Windows, macOS and Linux), with source code released on Github under the GPLv2 license, currently supporting OpenVPN. Our client is developed by a security expert and designed with ease of installation and use in mind, allowing users to connect to the VPN servers with only a few clicks. We plan to add a kill switch and DNS leak protection features to the client in the future.
11. We physically own all of our hardware, in all of our locations, including bare metal dedicated servers and switches, co-located in closed racks on different data centers around the world meeting our strict security criteria, using network dedicated links and carefully chosen providers for maximum network quality and throughput. We host our own non-logging DNS servers in different locations and provide DNSCrypt support for DNS requests encryption.
12. As of now, we operate across five locations including Canada, Spain, Sweden, United Kingdom and the United States. Moldova is planned later this
year, as indicated on our roadmap. There are no virtual locations.
2. Registered name of the company is Server Management LLC and we operate under US jurisdiction.
3. A single subscription can be used simultaneously for three connections. Abuses of service usually means using non-P2P servers for torrents or DMCA notices. Also, our no-log policy makes it impossible to track who downloaded/uploaded any data from the internet using our VPN. We use iptables plugin to block P2P traffic on servers where P2P is not explicitly allowed. We block outgoing mail on port 25 to prevent spamming activity.
4. We use live chat provided by tawk.to and Google Apps for incoming email. For outgoing email we use our own SMTP server.
5. Since no information is stored on any of our servers there is nothing that we can take down. We reply to the datacenter or copyright holder that we do not log our users’ traffic and we use shared IP-addresses, which makes it impossible to track who downloaded any data from the internet using our VPN.
6. HideIPVPN may disclose information, including but not limited to, information concerning a client, in order to comply with a court order, subpoena, summons, discovery request, warrant, statute, regulation, or governmental request. But due to the fact that we have a no-logs policy and we use Shared IPs, there won’t be anything to disclose excepting billing details. This has never happened before.
7. This type of traffic is welcomed on our German (DE VPN), Dutch (NL VPN), Luxembourg (LU VPN) and Lithuanian (LT VPN) servers. It is not allowed on US, UK, Canada, Poland, Singapore and French servers as stated in our TOS – the reason for this is our agreements with data centers. We also have specific VPN plan for torrents.
8. Currently, HideIPVPN accepts following methods: PayPal, Bitcoin, Credit & Debit cards, JCB, American Express, Diners Club International, Discover. All our clients billing details are stored in WHMCS billing system.
9. SoftEther VPN protocol looks very promising and secure. Users can currently use our VPN applications on Windows and OSX systems.
10. Yes, our free VPN apps have both features built in.
11. We don’t have physical control on our VPN servers. Servers are outsourced in premium data-center with high-quality tier1 networks.
12. At the moment we have VPN servers located in 10 countries – US, UK, Netherlands, Germany, Luxembourg, Lithuania, Canada, Poland, France and Singapore. As you can see number of available locations is steadily growing.
1. No, we don’t keep any logs. We have developed our system with an eye on our customers’ privacy, so we created a distributed VPN cluster with independent public nodes that do not store any customer data or logs at all.
2. Hide.me VPN is operated by eVenture Limited and based in Malaysia with no legal obligation to store any user logs at all.
3. We do not limit or monitor individual connections. To mitigate abuse we deploy general firewall rules on some servers that apply to specific IP ranges. By design, one username can only establish one simultaneous connection.
4. Our landing pages, which are solely used for advertising purposes, include a limited amount of third-party tracking scripts, namely Google Analytics. However, no personal information that could be linked with the VPN usage is shared with these providers. We do not send information that could compromise someone’s security over email.
5. Since we don’t store any logs and/or host copyright infringing material on our services, we’ll reply to these notices accordingly.
6. Although it has never happened, in such a scenario, we won’t be able to entertain the court orders because our infrastructure is built in a way that it does not store any logs and there is no way we could link any particular cyber activity to any particular user. In case we are forced to store user logs, we would prefer to close down rather than putting our users at stake who have put their trust in us.
7. There is no effective way of blocking file-sharing traffic without monitoring our customers which is against our principles and would be even illegal. Usually, we only recommend our customers to avoid the US & UK locations for file-sharing but it is on a self-regulatory basis since these countries have strong anti-copyright laws in place.
8. We support a wide range of popular payment methods, including all major cryptocurrencies like Bitcoin, Litecoin, Ethereum, Dash, Monero, PayPal, Credit Cards and Bank transfer. All payments are handled by external payment providers and are linked to a temporary payment ID. This temporary payment ID can’t be connected to the user’s VPN account/activity. After the payment is completed, the temporary payment ID will be permanently removed from the database.
9. After all, modern VPN protocols that we all support – like IKEv2, OpenVPN and SSTP – are considered secure even after the NSA leaks. We follow cryptographic standards and configured our VPN servers accordingly in order to support a secure key exchange with 8192-bit key size and a strong symmetric encryption (AES-256) for the data transfer.
10. Our users’ privacy is of utmost concern to us. Our Windows client has the features such as Kill Switch, Auto Connect, Auto Reconnect etc which makes sure that the user is always encrypted and anonymous.
11. We operate our own non-logging DNS-servers to protect our customers from DNS hijacking and similar attacks. We operate 30+ server locations in 27 different countries. However we do not own physical hardware. There is intrusion detection and other various security measures in place to ensure the integrity and security of all our single servers. Furthermore, we choose all third-party hosting providers very carefully, so we can assure that there are certain security standards in place (ISO 27001) and no unauthorized person can access our servers. Among our reputable partners are Leaseweb, NFOrce, Equinix and Softlayer.
12. Our servers are located in countries all over the world, among the most popular ones are Canada, Netherlands, Singapore, Germany, Brazil, Mexico and Australia. Below is the complete list of countries, alternatively you can view all available locations here.
1. No, not doing so is fundamental to any privacy service regardless of the security or policies implemented to protect the log data. In addition, it is not within our interest to do so as it would increase our liability and is not required by the laws of any jurisdiction that IVPN operates in.
2. Privatus Limited, Gibraltar.
3. We use a few custom scripts (based on PSAD) to proactively detect and alert malicious activity. From a management perspective, we monitor our network using Zabbix. In the almost 10 years we’ve been operating its safe to say we’ve seen almost everything.
4. No. We made a strategic decision from day one that no company or customer data would ever be stored on 3rd party systems. All our internal services run on our own dedicated servers that we setup, configure and manage. No 3rd parties have access to our servers or data.
5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we inform them that we never store the IP addresses of customers connected to our network nor are we legally required to do so.
6. Firstly, this has never happened. However, if asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information. If legally compelled to log activity going forward we would do everything in our power to alert the relevant customers directly (or indirectly through our warrant canary).
7. Yes, all file-sharing traffic is permitted and treated equally on all servers. We do encourage customers to use non-USA based exit servers for P2P as any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.
8. We accept Bitcoin, Cash, PayPal and credit cards. When using cash there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin. When paying with PayPal or a credit card a token is stored that is used to process recurring payments but this is not linked in anyway to account usage or IP-assignments.
9. We provide RSA-4096 / AES-256-GCM with OpenVPN, which we believe is more than secure enough for our customers’ needs.
10. Yes, the IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible including IPv6, DNS, network failures, WebRTC STUN etc.
11. We use bare metal dedicated servers leased from 3rd party data centers in each country where we have a presence. We install each server using our own custom images and employ full disk encryption to ensure that if a server is ever seized the data is worthless. We also operate an exclusive multi-hop network allowing customers to choose an entry and exit server in different jurisdictions which would make the task of legally gaining access to servers at the same time significantly more difficult. We operate our own network of log free DNS servers that are only accessible to our customers.
12. Please see https://www.ivpn.net/server-locations. We do not offer virtual locations.
1. We don’t keep any logs that can match a user to an IP and timestamp.
2. Windscribe Limited, Ontario (Canada) Corporation.
3. We store the total amount of bytes transferred in a 30 day period. This counter gets reset monthly and there is no historical usage. We block SMTP port 25 to prevent email spamming.
4. Everything is self-hosted including but not limited to email, support desk, and live chat.
5. We notify the sender that the IP address is a VPN node and is shared by hundreds of people at any given moment, so there is no way to trace the activity to any single user.
6. We received multiple subpoenas and court orders requesting subscriber information. Our response was identical to what we send in case of a DMCA related request in every case. We were never ordered to log users (although there were requests), but since we’re in Canada which has no mandatory data retention directives that apply to VPNs, we wouldn’t need to comply.
7. BitTorrent is allowed in all locations as we don’t interfere with the traffic. We request that users don’t do it in Japan and India due to more stringent providers in those regions, but it’s more of a guideline than a rule.
8. Credit cards (Stripe), PayPal, all major cryptocurrencies and various gift cards. As we store no logs of this type, there is nothing to link the payments to.
9. We support OpenVPN and IKEv2. Both are equally secure as we use the strongest encryption possible (GCM-AES-256) with both. We recommend trying IKEv2 first, as it’s faster almost in all cases. If it’s blocked on your network, then you can use OpenVPN which operates on common ports and is a lot harder to block, especially when using Stealth (Stunnel) mode. Our application tries all the protocols automatically and uses the best one for your specific network.
10. Windscribe Firewall is built into our Windows and Mac applications. It blocks all connectivity outside of the tunnel to ensure there is zero chance of any kind of leak, including but not limited to DNS leaks, IPv6 leaks, WebRTC leaks, etc.
A firewall blocks ALL connectivity outside of the tunnel. If the VPN connection drops, there is nothing that needs to be done, and not a single packet can leave the machine, since the firewall will not allow it. In geek terms, it fails closed.
11. All our servers are bare metal machines which are leased from various reputable hosting providers worldwide. As we have servers in over 100 different data-centers, listing them here would create a fairly lengthy list.
Each VPN node we operate has a recursive DNS server running on it, which is only accessible over the tunnel as it listens exclusively on a LAN IP address.
12. We have servers in 50 countries and over 100 cities. The full list is shown here. All our servers are physically where they are claimed to be, as we don’t have any fake/virtual locations.
2. Our registered legal name is Hexville SRL. We’re under Romanian jurisdiction, inside of the European Union.
3. Our tools are developed in-house. To limit the concurrent connections we keep track of the active connections of users. Every user has a limited number of concurrent connections, depending on his subscription. When he connects, we subtract one. When he disconnects, we add one back. Reach zero and the service will not allow the user to connect until he disconnects one of his active instances.
To limit the brute force types of abuses, we monitor the health of the servers and limit the network priority of the obvious DDOS that might be masked through our service. SMTP abuses will also result in temporary port blocking for that service.
5. We designed our system in such a way that DMCA notices cannot be forwarded to our users. A diverse approach is needed to deal with this particular industry issue: from explaining that we don’t host any content to replacing IPs and servers that received multiple strikes.
6. No subpoena has been received by our company. If that happens, we’ll be sure to assist as much as we’re legally obliged. Keep in mind that we don’t have much information to provide.
7. Net neutrality is king. We allow any kind of traffic. P2P included.
8. We use Bitcoins (and many other kinds of virtual currencies: ETH, XRP, DGB, LTC ), PayPal, PerfectMoney and Credit Cards. The sales & billing platform is stored separately of the actual VPN system.
9. We use only OpenVPN protocol, one of the most secure and hard to crack protocols, with AES-256-CBC cipher, TLSv1/SSLv3 DHE-RSA-AES512-SHA, 2048 bit RSA.
On top of the OpenVPN, you can also choose one of the two anti DPI (Deep Package Inspection) protocols: “TOR’s OBFSPROXY Scamblesuit” and “SSL” that mask your VPN connection from your ISP. These protocols come handy in places that actively block VPN connections, like China, Egypt or university campuses.
10. Yes, we have an incorporated kill switch in our client and DNS leak protection.
11. We do use our own DNS and Google DNS for some servers.
Because of the nature of the industry, we consider that replacing servers and blacklisted IPs as fast as possible, having the ability to migrate from one ISP to another, and not existing in a constant physical location is a great plus. That’s why decided to rent the VPN servers.
12. At the time of writing this, we do not offer virtual locations. We offer more than 30 servers in 18 countries and we’re expanding fast. You can find the full list here.
1. We don’t log any individually identifying information. The privacy of our customers is our top priority.
2. Our service is operated by a group of autonomous privacy activists outside of “Fourteen Eyes” or “Enemy of the Internet” countries. Each server is handled within the jurisdiction of the server’s location.
3. There are no tools which monitor our customers but we use techniques which don’t require any logging to prevent the abuse of our service.
4. Our website has been entirely developed by ourselves and thus we don’t rely on external service providers.
5. We reply to takedown notices but can’t be forced to hand out information because of our non-logging policy.
6. This hasn’t happened yet, but if we were forced to identify any of our customers at a specific server location, we would immediately terminate this location. We are not going to log, monitor or share any information about our customers under any circumstances.
7. BitTorrent and other file-sharing traffic is allowed and treated equally to other traffic on all servers.
8. We offer a wide range of anonymous payment methods like Bitcoin, Dash, Ethereum, Paysafecard and Perfect Money. No external payment processor receives any information because all payments are processed by our own payment interface.
9. We would recommend OpenVPN, available in UDP and TCP mode. We are using AES-256-GCM/CBC for traffic encryption, 4096 bit RSA keys for the key exchange and SHA-512 as HMAC. These settings offer you the highest grade of security available.
10. Our VPN Client provides advanced security features like a Kill Switch, DNS Leak Protection, IPv4/IPv6 Leak Protection, WebRTC Leak Protection and many more.
11. We rent 27 servers in 20 countries and are continuously expanding our server park. During the last year we focused on replacing our 100 Mbit/s servers with high-end dedicated gigabit servers and thus the number of servers slightly decreased. It is impossible to have physical control over all widespread servers but we took security measures to prevent unintended server access. At the moment we are using the nameservers of Quad9 which offer good privacy.
12. Every server is physically located in its specified country and thus we don’t offer virtual locations. You can find our server list at the following link.
1. We do not keep or record any logs. We are therefore not able to match an IP-address and a time stamp to a user of our service.
2. The registered name of our company is “Offshore Security EOOD” (spelled “ОФШОР СЕКЮРИТИ ЕООД” in Bulgarian). We’re a VAT registered business. We operate under the jurisdiction of Bulgaria.
3. To prevent mail spam abuse we block mail ports used for such activity, but we preemptively whitelist known and legit email servers so that genuine mail users can still receive and send their emails.
To limit concurrent connections to 6, we use our in-house developed system that adds and subtracts +1 or -1 towards the user’s “global-live-connections-count” in a database of ours which the authentication API corresponds with anonymously each time the user disconnects or connects to a server. The process does not record any data about which servers the subtracting/detracting is coming from or any other data at any time, logging is completely disabled at the API.
4. We host our own email servers in Switzerland. We host our own Ticket Support system on our servers in Switzerland. The only external tools we use are Google Analytics for our website and Zopim Live Chat.
5. DMCA notices are not forwarded to our members as we’re unable to identify a responsible user due to not having any logs or data that can help us associate an individual with an account. We would reply to the DMCA notices explaining that we do not host or hold any copyrighted content ourselves and we’re not able to identify or penalize a user of our service.
6. This has not happened yet. Should it happen our attorney will examine the validity of the court order in accordance with our jurisdiction, we will then delegate our no logs policy to the appropriate party pointing out that we’re not able to match a user to an IP or timestamp due to not keeping or recording any logs. In our six year history we’ve upheld our reputation and we believe one of the reasons such court orders don’t reach us is our clearly stated no-logs policy.
7. BitTorrent/P2P is allowed on most of our servers but not all of them. Why not? Some servers that we use are not tolerant to DMCA notices, but some of our members utilize them for other activities not related to torrenting. That is why we keep them in our network despite the inability to use P2P/torrents on them. Most of our VPN servers and locations do allow torrents and P2P. We even allow torrenting on server locations that most VPN providers don’t, such as USA and Canada.
8. We accept PayPal, Credit/Debit cards and Webmoney via third party payment processor, plus Bitcoin and Payza. We do not require personal details to register an account with us. In the case of PayPal/Payza/card payments we link usernames to their transactions so we can process a refund. We do take active steps to make sure payment details can’t be linked to account usage or IP assignments. We do not use a recurring payments system.
9. We use AES-256-CBC + SHA256 cipher and RSA4096 keys on all our VPN servers with without exception. We also have Double VPN servers, where for example the traffic goes through Russia and Israel before reaching the final destination.
10. Yes, we provide both KillSwitch and DNS Leak protection for our Windows and Mac apps. Our new Android app already has DNS Leak protection and AdBlocking and within a couple of days will also have KillSwitch in the upcoming new version.
11. We work with reliable and established data centers. Nobody but us has virtual access to our servers. The entire logs directories are wiped out and disabled, rendering possible physical brute force access to the servers useless in terms of identifying users.
12. All our servers are physically located in the stated countries. A list of our servers in 70 countries can be found here.
2. The name of the company is Air and it is located in Italy.
3. We do not use any monitoring or traffic inspection tools. We do associate a connections counter for each account to enforce the limit of five simultaneous connections per account. We also promptly investigate any service (website etc.) running behind our service to prevent phishing and other scams (malware spreading, bot controllers, etc) if we receive a complaint about them. However, checking those services after a complaint or a warning from a third-party does not require any traffic monitoring.
4. Absolutely not.
5. They are ignored.
6. The matter is handled by our law firm which explains to the competent authorities how our system works and why it is not possible to track a user “ex-post” when such identification requires access to traffic logs, which simply do not exist. We have so far not received any order trying to force us to “log activity going forward” and we would not be able to comply for strictly technical reasons.
7. Yes, BitTorrent (just like any other protocol) is allowed on all servers without any re-routing.
8. Nowadays we use Coinpayments, BitPay, PayPal and Avangate. We accept a wide variety of cryptocurrencies and several credit cards. We also planned to accept payments in Bitcoin (and some other cryptocurrency) directly in late 2018, with no need for any third party payment processor, which anyway does not require any personal data to complete a transaction.
We do not keep any information about account usage and/or IP address assignments, so there can’t be any correlation with any payment. As usual a customer needs to consider that any payment via a credit card or PayPal will be recorded for an indefinite amount of time by the respective financial companies. We also accept cryptocurrencies inherently designed to provide a strong layer of anonymity.
9. We recommend only and exclusively OpenVPN. A proper configuration must include TLS mode, Perfect Forward Secrecy, 4096 bit Diffie-Hellmnn keys, and at least 2048 bit (preferably 4096 bit) RSA keys. About the channels ciphers, AES-256 both on the Control Channel and the Data Channel is an excellent choice, while digests like HMAC SHA (when you don’t use an AED cipher such as AES-GCM) for authentication of packets are essential to guarantee integrity (preventing for example injection of forged packets in the stream), both on the Control and the Data channels.
Our service provides all of the above. About Elliptic Curve Cryptography, since it is finally of public domain that at least one random number generator (Dual_EC_DRBG) had a backdoor, and that an NSA program did exist with the aim to implement backdoors in some curves and then have exactly those curves recommended by NIST, momentarily we would suggest to drop ECC completely, just to stay on the safe side and according to Bruce Schneier’s considerations.
10. Yes, of course. They are integrated in our free and open source software “Eddie” released under GPLv3. Anyway, usage of our software is not mandatory to access our service, so we also provide guides to prevent any kind of traffic leaks outside the VPN “tunnel” on a variety of systems.
11. The VPN server management is never outsourced. Even the IPMI, which has proven to be the source of extremely dangerous vulnerabilities, is patched and access-restricted by the AirVPN core management persons only. The Air company does not own datacenters. Owning a datacenter would put Air in a vulnerable position in the scenario described in your question number 6 (second part: court order to start logging traffic).
12. We do not offer “virtual” locations. No IP address geo-location trick, hidden re-routing or any other trick is ever performed. We do not use Virtual Servers at all. Currently, we have physical (bare metal) servers really located in the following countries: Austria, Belgium, Bulgaria, Canada, Czech Republic, Germany, Hong Kong, Japan, Latvia, Lithuania, Netherlands, Norway, Romania, Singapore, Spain, Sweden, Switzerland, Ukraine, United Kingdom, United States.
1. Trust.Zone doesn’t store any logs. All we need from users is just an email to sign up. No first name, no last name, no personal info, no tracking, no logs.
2. Trust.Zone is under Seychelles jurisdiction and we operate according to the law in Seychelles. There is no mandatory data retention law in Seychelles. In our jurisdiction, a foreign court order would not be enforceable and since we don’t store any logs, there is nothing to be taken from our servers. The company is operated by Extra Solutions Ltd.
3. We have no usage restriction on our service. As we don’t have any logs, we can’t track any user online activity. Trust.Zone doesn’t use any third party tools on the website. The single restriction we have is three simultaneous connections per user.
5. If we receive any type of DMCA requests or Copyright Infringement Notices – we ignore them. Why? Trust.Zone is under Seychelles offshore jurisdiction. There is no mandatory data retention law in Seychelles. Since we don’t store any logs, there is nothing to be had from our servers.
6. A court order would not be enforceable because we do not log information and therefore there is nothing to be had from our servers. Trust.Zone is a VPN provider with a Warrant Canary. Trust.Zone has not received or has been subject to any searches, seizures of data or requirements to log any actions of our customers.
7. We don’t restrict any kind of traffic. Trust.Zone does not throttle or block any protocols, IP addresses, servers or any type of traffic whatsoever.
8. All major credit cards are accepted. Besides, Bitcoin, PayPal, Webmoney, Alipay, wire transfer and many other types of payments are available. To stay completely anonymous, we highly recommend using anonymous payments via Bitcoin.
9. Trust.Zone uses the highest level of data encryption. We use a protocol which is faster than OpenVPN and also includes Perfect Forward Secrecy (PFS). The unique feature of Trust.Zone VPN is that you can forward your VPN traffic via ports – 21(FTP) 22 ( SCP, SFTP ), 80 (HTTP), 443 (HTTPS) or 1194 (OpenVPN), most of which can’t be blocked by your ISP. Trust.Zone uses AES-256 Encryption by default. We also offer L2TP over IPsec which also uses 256bit AES Encryption.
10. Trust.Zone supports a kill-switch function. We also own our DNS servers and provide users with using our DNS to avoid any DNS leaks. Trust.Zone has no support for IPv6 connections to avoid any leaks. We also provide users with additional recommendations to be sure that there are no any DNS leaks or IP leaks.
11. We have a mixed infrastructure. Trust.Zone owns some physical servers and we have access to them physically. In locations with lower utilization, we normally host with third parties. But the most important point is that we use dedicated servers in this case only, with full control by our network administrators. DNS queries go through our own DNS servers.
12. We are operating with 150+ servers in 30+ countries and still growing. The most popular Trust.Zone locations are France, Australia, US, Canada and UK. The full map of the server locations is available here.
1. We don’t keep any logs.
2. CactusVPN Inc., Canada
3. We restrict our services with up to five devices per package for VPN connection and to unlimited devices for SmartDNS service as long as all of them have the same IP address. Abuse of services is regulated by our Linux firewall and most of the datacenters we hire servers from provide additional security measures for servers attacks.
5. We did not receive any official notices yet. We will only respond to a local court order.
6. If we have a valid order from Canadian authorities we have to help them identify the user. Bus as we do not keep any logs we just can’t do that. We did not receive any orders yet.
7. BitTorrent and other file-sharing traffic is allowed on Netherlands, Germany, Switzerland and Romanian servers.
8. PayPal, Visa, MasterCard, Discover, American Express, Bitcoin & Altcoins, Alipay, Qiwi, Webmoney, Boleto Bancario, Yandex Money and other not so popular payment options.
9. We recommend users to use SoftEther with ECDHE-RSA-AES128-GCM-SHA256 cipher suite.
10. Yes, our apps include Kill Switch and Apps. Killer options in case a VPN connection is dropped. Also they include DNS Leak protection.
11. We use servers from various data centers.
12. USA, UK, France, Germany, Canada, Netherlands, South Korea, Australia, Poland, Japan, Switzerland, Singapore, Romania.
1. ShadeYou VPN does not keep any logs. To use our service only a username and e-mail are required. No personal or real data is required.
2. We are incorporated as DATA ACCENTS LP and operate under the United Kingdom jurisdiction.
3. Limits of concurrent connections are regulated in real time on the server side by our own developed tools without any logs kept.
4. We are using Google Analytics as a tool which allows us to improve our website and bring our users better experience. Also, we are using SiteHeart online support. But none of these tools track / hold personal information.
6. There are no any special steps since we have no logs to share and analyze. It means we can’t help with identifying the active or past user of our service. Logging activity is not acceptable for our service. We had different cases but we can guarantee that none of our users were compromised.
7. BitTorrent and any other file-sharing traffic is allowed mostly on all our servers. There are only a few exceptions (such as when traffic is limited on the servers).
8. ShadeYou VPN uses payment systems including PayPal, Perfect Money, Webmoney, Qiwi, Yandex Money, Easy Pay, Ligpay, UnionPay, AliPay, MINT, CashU, Ukash also accept payments via Visa, Master Card, Maestro and Discover. Of course, Bitcoin is available. Important note: we do not store billing information which is required to improve users safety.
9. We strongly recommend using OpenVPN since it is the safest and uses the strongest encryption (TLS Protocol with 4096-bit key length and AES-256-CBC crypto-algorithm).
10. We support “Kill switches” and DNS leak protection using our desktop client.
11. All our servers are collocated around the world in data centers of different leading hosting companies. Yes, we are using our own DNS servers.
12. Here is an overview and all servers are physically located.
1. We don’t retain or log any identifiers namely IP addresses, timestamps of any sort of connections on our VPN or authentication servers, data used, the speed of connection at all. Period.
2. PrivateVPN is run by a Swedish company viz. ‘Privat Kommunikation Sverige AB’ under Swedish jurisdiction.
3. Owing to our above-mentioned privacy promise, active monitoring of our service is out of the question.
4. We use a service known as LiveAgent to provide email or ticket and live chat support. They do not hold any information about chat sessions. Chat conversation transcripts are not stored on chat servers. They remain on the chat server for the duration of the chat session, then optionally sent by email to a user, and then destroyed.
5. DMCA is not applicable to our service as it is not a codified law or act under Swedish jurisdiction. So, it is none of our business. A Swedish equivalent isn’t in the scene as of now in our jurisdiction at all.
6. As already mentioned above, we don’t retain or log any identifiers at all. So, basically even when ordered to actively investigate a user we are limited to the number of active logins which is just a numerical value. That being said, we have not received a court order to date.
7. Of course, we are not in the business of restricting and throttling things. The whole point of a user connecting to our VPN servers is to get uncensored and unrestricted Internet.
8. We support PayPal, Stripe, and Bitcoin. Alipay as a payment method is en route. We offer a 30-day money-back guarantee and in order to enforce it, we keep a track of payments linked to a user account. There is no way to link an IP address assigned from us to a user account as we do not log such data.
9. No single VPN protocol works for everyone. We support multiple VPN protocols viz. PPTP,L2TP,IPsec,IKEv2,OpenVPN,Shadowsocks(beta) and soon SSH(in labs). Our default VPN protocol on all the platforms other than iOS is OpenVPN over UDP with 256-bit AEAD ciphers when you use our VPN application.
We recommend a user with an ideal ISP to use OpenVPN over UDP/1194. In case your ISP happens to throttle default OpenVPN port 1194, you can use OpenVPN over TCP/443, which is deployed with the latest –tls-crypt that OpenVPN offers for additional privacy and very basic obfuscation of the protocol itself.
For users who love built-in VPN clients for an OS, like Windows, Mac, Blackberry, iOS etc, we recommend IKEv2. For users from UAE, Egypt, some parts of China etc, we are working on secure Shadowsocks over TCP/80 with AEAD cipher and/or SSH-based solutions to tunnel their OpenVPN traffic. Shadowsocks is already being tested and working with many happy users new and old users from Egypt & UAE. For Tor lovers, we offer a guide, help, instructions on how to connect to our OpenVPN servers over Tor for additional security and privacy.
10. Our Windows VPN App offers robust Kill switch and DNS leak protection. DNS leaks on any major platform are owing to broken installations which are fixed as soon we see a report or any issues. IPv6 leak protection is available on every platform and multiple VPN protocols. We offer guides and instructions to set up a kill switch on macOS, GNU/Linux, BSD etc and are rapidly working with our developers to add these features in our easy to use and install VPN applications.
11. We have physical control over our servers and network in Sweden. We’re only using trusted data centers with strong security. Our providers have no access to PrivateVPN’s servers and most importantly, there is no customer data/activities stored on the VPN servers or on any other system we have.
We have deployed our own multiple DNS nameservers which work from within tunnel and are automatically pushed to VPN clients upon successful connection. You are at liberty to use whatever DNS nameservers you like though. For example, if you or someone you trust hosts a server with additional security features like DNSCRYPT and DNSSEC, it is fair if you wish to use it.
2. Octane Networks, LLC. US registered company.
3. We block port 25 outbound to reduce the possibility of spam. Our auth system limits concurrent connections via our custom backend.
4. We use Google Analytics for general website trends. We use Hotjar occasionally for A/B and user experience testing. Support is internal.
5. If the customer session is still connected to our service we take action. Repeat infringers must be disabled since we are a US based company and must comply with DMCA.
6. This has not happened. We would take every action we legally could to maintain the privacy of our customers. Since logs are not used, there is little information we could provide if ordered to do so by a court of competent jurisdiction.
7. Yes. We operate with net neutrality with the exception of restricting outgoing SMTP to prevent spammers from abusing the service.
8. Bitcoin, Credit/Debit Card and PayPal. IP addresses are not linked to payment details.
10. Our client disables IPv6 completely as part of our DNS and IP leak protection in our Windows and Mac OS X OctaneVPN clients. Our OpenVPN based client’s IP leak protection works by removing all routes except the VPN route from the device when the client has an active VPN connection.
This a better option than a ‘kill switch’ because our client ensures the VPN is active before it allows any data to leave the device, whereas a ‘kill switch’ typically monitors the connection periodically, and, if it detects a drop in the VPN connection, reacts. With a ‘kill switch’, data sent during the time between checks is potentially vulnerable to a dropped connection. Our system is proactive vs a reactive kill switch.
11. In our more active gateway locations, we colocate. In locations with lower utilization, we normally host. We do not do the virtual location BS you hear about sometimes. Each of our gateways acts as a DNS server for the end-user.
12. We have gateways in 45 countries and 92 cities.
1. SlickVPN doesn’t log traffic or session data of any kind. We don’t store connection time stamps, used bandwidth, traffic logs, or IP addresses.
2. Slick Networks, Inc. is our recognized corporate name. We operate a complex business structure with multiple layers of offshore holding companies, subsidiary holding companies, and finally some operating companies to help protect our interests. The main marketing entity for our business is based in the United States of America but the top level of our operating entity is based out of Nevis.
3. We block port 25 to reduce the likelihood of spam originating from our systems. The SlickVPN authentication backend is completely custom and limits concurrent connections.
4. We utilize third party email systems to contact clients who opt in for our newsletters and Google Analytics for basic website traffic monitoring and troubleshooting. We believe these platforms to be secure. Because we do not log your traffic/browsing data, no information about how users may or may not use the SlickVPN service is ever visible to these platforms.
5. If a valid DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session. Otherwise, we are unable to act on any complaint as we have no way of tracking down the user. It is important to note that we rarely receive a valid DMCA complaint while a user is still in an active session.
6. This has never happened in the history of our company. Our customer’s privacy is of topmost importance to us. We are required to comply with all valid court orders. We would proceed with the court order with complete transparency, but we have no data to provide any court in any jurisdiction. SlickVPN uses a warrant canary to inform users if we have received any such requests from a government agency. Users can monitor our warrant canary here: SlickVPN Warrant Canary
7. Yes. All traffic is allowed. SlickVPN does not impose restrictions based on the type of traffic our users send.
8. We accept PayPal, Credit Cards, Bitcoin, Cash, and Money Orders. We keep user authentication and billing information on independent platforms. One platform is operated out of the United States of America (Marketing) and the other platform is operated out of Nevis (Operations).
Payment details are held by our marketing company which has no access to the Operations data. We offer the ability for the customer to permanently delete their payment information from our servers at any point and all customer data is automatically removed from our records shortly after the customer ceases being a paying member.
9. We recommend using OpenVPN if at all possible (available for Windows, Apple, Linux, iOS, Android) and we use the AES-256-CBC algorithm for encryption.
10. Our leak protection (commonly called a ‘kill-switch’) keeps your IPv4 and IPv6 traffic from leaking to any other network and protects against DNS leaks. Your network will be disabled if you lose the connection to our servers and the only way to restore the network is manual intervention by the user.
11. We physically control some of our server locations where we have a heavier load. Other locations are hosted with third parties unless there is enough demand in that location to justify racking our own server setup. To ensure redundancy, we host with multiple providers in each location. We have server locations in over forty countries. We’re currently in the process of deploying 10Gb connected nodes that are physically controlled by our company.
In all cases, our network nodes load over our encrypted network stack and run from ramdisk. Anyone taking control of the server would have no usable data on the disk. We periodically remount our ramdisks to remove any lingering data. Each of our access servers acts as the DNS server for customers connected to that node.
12. At SlickVPN we actually go through the expense of putting a physical server in each country that we list. SlickVPN offers VPN service in 40 countries around the world. We do not do offer virtual locations.
1. No. The only logs on our servers are security related, such as: [[email protected] ~]# tail -n1 /var/log/messages Feb 21 17:27:51 wilno kernel: grsec: exec of /usr/bin/tail (tail -n1 /var/log/messages ) by /usr/bin/tail[bash:14447] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:12336] uid/euid:0/0 gid/egid:0/0
This is so we can monitor for unauthorized commands in the unlikely event that a server is compromised by some 0day exploit. Strict privilege separation and access control is done to minimize the access any potential attackers would get if any of our services were vulnerable to a 0day exploit. None of those logs contain any customer-related data.
2. Cryptostorm consists of several different entities that are in different regions. This is so if any adversary were to put legal pressure on one of those entities, we can simply drop and replace it, along with any resources that might be under it. The names and locations of these entities are not publicly disclosed, simply to make it more difficult for any potential adversaries.
3. Abuse is mitigated by using snort’s NFQ DAQ as an Intrusion Prevention System. This allows us to block the most basic or automated attacks/scans that would violate the Terms of Service at most data centers. It also allows us to prevent basic attacks without requiring us to keep any data that could be used to identify a customer. No customer IPs ever show up in those snort alerts.
5. Most of the data centers we’ve chosen aren’t legally required to do anything about DMCA or similar complaints. The few that are legally required to do something, are only required to forward the complaint to us. Currently, the only exception is one of our Netherlands data centers, who requires a response from us. For them, we use a template very similar to this.
If an ISP, data center, or anyone else were to request customer information related to a DMCA complaint, we wouldn’t be able to provide anything since we don’t have anything. If a data center threatens to suspend our server if we don’t comply, we simply stop doing business with that data center.
6. The locations of the entities that make up Cryptostorm were specifically chosen for their strong privacy and business laws. We wouldn’t be able to comply with any court order requesting customer information since we don’t have any information to give. If a court successfully ordered one of our entities to start collecting customer information, we would absolve any entities in that court’s region.
In the highly unlikely event that international courts coordinating together were successful in ordering all of our entities to comply, we would shut down Cryptostorm, Lavabit style. As of February 2018, we have never received any such court orders. If we were to receive any “gag orders”, our warrant canary would inform customers of its existence.
8. Credit/debit card payments are accepted via PayPal and Stripe. Bitcoin is accepted through BitPay. Bitcoin, Bitcoin Cash, BlackCoin, Dash, DigiByte, Dogecoin, Ether Classic, Ether, GameCredits, Litecoin, PotCoin, Vertcoin, Monero, and Zcash are accepted through CoinPayments.net. Our anonymous token authentication system plus our no-logging policy prevents us from knowing which customers are connected to which server, or what traffic they’re generating on that server.
9. Our most secure OpenVPN instances use: SHA512 for authentication; AES-256-GCM to encrypt the data channel; TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 for the control channel, forced to TLS v1.2 to prevent downgrade attacks; Unique 4096-bit DH parameters for perfect forward secrecy; prime256v1 ECC server/CA certificates, signed with ecdsa-with-SHA512; 2048-bit static key for additional encrypting/authenticating of control channel packets.
For backwards compatibility on older devices that might not support OpenVPN 2.4.x, we also provide instances using: SHA512 for auth, AES-256-CBC for the data channel, TLS-DHE-RSA-WITH-AES-256-CBC-SHA for the control channel, and unique 2048-bit DH parameters for perfect forward secrecy.
10. We do provide firewall rule sets for IPtables, ufw, pf, etc. For Windows users, our open-source VPN client includes a kill switch.
11. We rent/lease servers at various data centers throughout the world. To account for the possibility of physical compromise (i.e., a confiscated server), each server is designed to be as disposable as possible. We don’t keep any data on the servers that can be used to identify a customer, and the data cannot be used to gain access to any other server. We do use our own DNS servers, and we also provide more secure alternatives to DNS such as DNSCrypt and DNSChain.
12. Currently, we have servers in Germany, Netherlands, Lithuania, Finland, Poland, Moldova, Spain, Latvia, Canada, England, Italy, France, Switzerland, Portugal, and eight US servers. We do not use VPS/VMs for our VPN servers. Only bare metal dedicated servers.
1. Our OpenVPN servers are configured with “verb 0” so that they keep no logs at all.
2. What The * Services, LLC is incorporated in the USA. We have VPN servers in the USA, Germany, and the Netherlands.
3. We use a custom session management system which operates completely on real-time data and keeps no logs. The session management infrastructure (and all VPN servers) is built on top of OpenBSD and uses the services built into OpenBSD to enforce user management.
4. We run all of our own communications infrastructure. However, we do use Google Analytics on the WhatTheServer.me website.
5. We have never received a DMCA take-down notice or a non-US equivalent regarding our VPN service. However, we did receive a DMCA take-down notice regarding a website one of our customers was running on our Virtual Private Servers.
We responded by replying to the requester letting them know we were looking into it, and we notified the customer via his email on file. Then we contacted the EFF and they put us in touch with a lawyer who helped us get the case dropped, because we did not have the information requested. The customer’s identity was never revealed to the people making the DMCA take-down request, because the bill was paid in Bitcoin & a throwaway email account was used.
6. We have not yet received such a court order or subpoena for user information. However, if we do we will take several steps. First, we would consult with our lawyers to confirm the validity of the order/subpoena, and respond accordingly if it is NOT a valid order/subpoena. Then we would alert our user of the event if we are legally able to.
If the order/subpoena is valid, we would see if we have the ability to provide the information requested, and respond that we do NOT have the information requested. If we DO have the information requested, we would immediately reconfigure our systems to stop keeping that information. Then we would consult with our lawyer to determine if there is any way we can fight the order/subpoena and/or what is the minimum level of compliance we must meet, as well as, notify the user of the event if we are legally able to do so.
If we were forced to start keeping logs on our users, we would go out of business and start a new company in a different jurisdiction.
7. BitTorrent and other file-sharing traffic is allowed on all VPN/Proxy servers which are NOT located in the USA.
8. We accept PayPal, as well as Monero, Bitcoin and over 140 CryptoCurrencies and AltCoins via CoinPayments.net We encourage our users to pay with anonymous payment methods and supply false contact information. We also use a completely different authentication infrastructure and random usernames for the VPN accounts.
9. All of our OpenVPN and SOCKS Proxy servers are running OpenBSD and are using LibreSSL instead of OpenSSL. This protects our servers from a wide range of attacks on the encryption. Our OpenVPN Servers use AES-256-CBC & SHA512 HMAC for the Data Channel, and DHE-RSA-AES256-GCM-SHA384 on the Control Channel. Our OpenVPN Servers are also configured with 4096bit RSA keys and a custom 4096bit Diffie-Hellman parameters. Our SOCKS Proxy is based on OpenSSH, so they support any ciphers the client wants to use. With the OpenSSH protocol, the Client decides what cipher to use instead of the Server.
10. We push Google DNS 126.96.36.199 and 188.8.131.52 to clients. We also have ‘push “block-outside-dns”’ in our OpenVPN server config files which will prevent the client from leaking DNS requests. Additionally, we include “resolve-retry infinite” and “persist-tun” in the OpenVPN client config files which will prevent the client from sending data in the clear if the VPN connection goes down.
11. All of our infrastructure is hosted in third party colocations. However, we use full-disk-encryption on all of our servers. We use Google DNS at this time but we are currently testing alternatives.
12. We offer VPN server locations in the USA, Germany, and Netherlands.
1. We do not keep any log that can identify a user of our service with an IP address and/or a timestamp. We are getting ready to be GDPR compliant and (in our opinion) keeping this kind of logs is not respecting the Privacy by Design guidelines.
2. Company’s registered name is Amplusnet SRL. We are a Romanian company, which means we are under EU jurisdiction.
3. We limit the number of concurrent connections and we are using Radius for this purpose.
4. The back end of the website is a dedicated WHMCS for billing and support tickets. We do not use external e-mail providers (we host our own mail server). Our users can contact us via live chat (Zopim). The chat activity logs are deleted on a daily basis. There is no way to associate any information provided via live chat with the users’ account.
5. So far we did not receive any DMCA notice for any P2P server from our server list. That is normal considering that the servers are located in DMCA free zones. For the rest of the servers, p2p and file sharing activities are not allowed/supported.
6. So far, we have not received any court order. We do not support criminal activities, and in case of a valid court order, we must follow the EU laws under which we operate.
7. We have dedicated P2P servers that allows BitTorrent and other file-sharing applications. The servers are located in Netherlands, Luxembourg, Canada, Sweden, Russia, Hong Kong and Lithuania. We do not reroute P2P connections.
8. Payments are performed exclusively by third party processors, thus no credit card info, PayPal ids or other identifying info are stored in our database. For those who would like to keep a low profile, we accept BitCoin, LiteCoin, Ethereum, WebMoney, Perfect Money etc.
9. We support SSTP and SoftEther on most of the servers. We also offer double VPN and TOR over VPN.
10. Yes, Kill Switch and DNS leak protections are implemented in our VPN Clients. Kill Switch is one of the most used features. Our users can decide to block all the traffic when the VPN connection drops or to kill a list of applications. We allow customers to disable IPv6 Traffic and to make sure that only our DNS servers are used while connected to the VPN.
11. We do not have physical control over our VPN servers. We have full remote control to all servers. Admin access to servers is not provided for any third party.
12. The full list of server locations is available here.
1. Our entire infrastructure and VPN service is built to ensure that no logs can be stored – anywhere. Our servers are locked in cabinets and operate without any hard drives. We use a tailored version ofAlpine, which doesn’t support SATA controllers, USB ports etc. To further increase security, we use TRESOR and grsecurity to be resistant to cold boot attacks.
2. OVPN Integritet AB (Org no. 556999-4469). We operate under Swedish jurisdiction.
4. For website insights, we use Piwik, an Open Source solution that we host ourselves. The last two bytes of visitors’ IP addresses are anonymized; hence no individual users can be identified. For support, we use an internally built system.
The mail server is hosted by Glesys, a trusted provider in Sweden. Automatic emails from the website are sent using Mailgun, but we never send any sensitive information via email. Zendesk chat is used for live chat, which we will eventually migrate from when we’ve built a satisfactory in-house solution.
5. Since we don’t store any information, such requests aren’t applicable to us.
6. We can’t provide any information to the court. A court wouldn’t be able to do that [require logging] in our jurisdiction – but in case it did happen we would move the company abroad.
8. We offer PayPal, credit cards (via Braintree), Bitcoin (via Bitpay), cash in envelopes as well as a Swedish payment system called Swish. We never log IP addresses of users, so we can’t correlate an IP address to a payment.
9. We offer AES-256-GCM. In terms of connection, we recommend using our Multihop add-on.
11. Yes. We own all the servers and routers, and they’re co-located in various data centers in locked cabinets.
12. USA, Germany, Sweden, United Kingdom, the Netherlands, Canada and Norway. No virtual locations are offered.
2. Amagicom AB, Sweden.
3. We limit the number of simultaneous connections to five per account. This is monitored in real time by our VPN servers which report this information to our central service. When a customer connects to one of our servers, the server asks the central service if the account has reached its connection limit. As we do not save this information, we cannot, for example, tell you how many connections your account had five minutes ago.
4. We have no external elements at all on our website. We do use an external email provider; for those who want to email us, we encourage them to use PGP encryption which is the only effective way to keep email somewhat private. The decrypted content is only available to us.
5. There is no such Swedish law that is applicable to us.
6. From time to time, we are contacted by governments asking us to divulge information about our customers. Given that we don’t store activity logs of any kind, we have no information to give out. So far this has never happened.
In addition, we do not believe that it’s possible for Swedish law to order us to actually give out information about our users. Not that we would anyway. We started Mullvad for political reasons and would rather discontinue the service than have it work against its purpose.
7. All traffic is treated equally, therefore we do not block or throttle BitTorrent or other file-sharing protocols.
8. We accept cash, Bitcoin, Bitcoin Cash, bank wire, credit card, PayPal, and Swish. We encourage anonymous payments via cash or one of the cryptocurrencies. We run our own full node in each of the blockchains and do not use third parties for any step in the payment process, from the generation of QR codes to adding time to accounts. Our website explains how we handle payment information.
9. On Windows, macOS, and mobile, we offer OpenVPN with RSA-4096 and AES-256-GCM. On Linux, we also offer WireGuard which uses Curve25519 and ChaCha20-Poly1305. We also offer an experimental post-quantum secure VPN tunnel using WireGuard and NewHope.
10. We offer a kill switch and DNS leak protection, both of which are supported in IPv6 as IPv4. While the kill switch is only available via our client/app, we also provide a SOCKS5 proxy that works as a kill switch and is only accessible through our VPN.
11. Yes, we use our own DNS servers.
12. Our website has an up-to-date server list.
1. We do not log period. No meta-data logging, no traffic logging, no bandwidth usage tracking. We do not have any hidden fair usage policy. We respect our users’ privacy. We do not store any personal or billing information on VPN servers. IP’s are shared amongst users and our configuration makes it extremely difficult to single out any user.
2. We are registered in USA and operate as AceVPN.com
3. We have developed tools to mitigate abuse.
4. We use Google Analytics on www.acevpn.com (marketing site). We do not track proxied pages. We use G Suite for email. Emails are deleted regularly.
5. If we receive DMCA takedown, we block the port mentioned in the complaint. IPs are shared by other users and our configuration makes it extremely difficult to single out any user. We do not share any information with third parties.
6. To date, we have not received a court order. We only store billing information which the payment processor or bank or credit card issuer has.
7. We have special servers for P2P and are in datacenters that allow such traffic. These servers also have additional security to protect privacy when p2p programs are running. We do not reroute traffic as this require inspecting and analyzing traffic which contradicts with our no logs policy.
8. We accept Paypal, Bitcons and Credit cards for payments. We store billing information on a secure server separate from VPN servers and do not track usage nor IP assignments.
9. Both our IKEv2 and OpenVPN supports Elliptic curve cryptography (ECC) which we recommend for secure connectivity. To give an idea, 384 bits ECDSA is equivalent to RSA 7680 bits. Higher the bits, more secure it gets.
10. Yes, we do provide kill switches if a connection drops. Our servers are tested for DNS leak.
11. We have full control over our servers. Servers are housed in reputed datacenters. Many of them are ISO certified and are designed to the highest specifications for performance, reliability and security. We operate our own DNS servers (Smart DNS) for streaming videos. For VPN, we use Google, OpenDNS and Level3 DNS.
12. We have servers in 26+ countries and over 50+ locations /datacenters. USA, Brazil, Canada, Mexico, Denmark, Egypt, France, Germany, Ireland, Italy, Japan, Latvia, Luxembourg, Netherlands, Norway, Romania, Russia, Spain, Sweden, Switzerland, Turkey, UK, Hong Kong, Singapore, Australia, and South Africa.
2. The name of the company is BLACKVPN LIMITED and is registered in Hong Kong and operates under the jurisdiction of Hong Kong.
3. Most of the time we use iptables to manually monitor and mitigate abuse, but in some special and complicated cases we have used fwsnort and psad to detect hacking and spamming from our platform. Limiting concurrent sessions is done through built in functionality in FreeRadius.
4. We run our own email server plus support and live chat systems using open source tools. We use StreamSend for sending generic welcome and renewal reminder emails, as well as for the occasional news updates. We have Twitter widgets on our frontpage that may track visitors. We use our own website analytics (Piwik) where we only save anonymous IP data.
5. We block the port in the firewall on the server listed in the notice.
6. If we received a valid court order from a Hong Kong court, then we would be legally obliged to obey it. So far this has never happened.
7. Bittorrent traffic is not restricted in our Privacy VPN locations, but due to stricter enforcement of DMA notices in the USA and UK we restrict most BitTorrent traffic and only whitelist torrents of known open source software.
8. PayPal and PaymentWall for Credit Cards, Bank Transfers and Prepaid cards. Coingate for all kind of Cryptocurrencies. The transaction details (ID, time, amount, etc) are linked to each user account.
9. We recommend to use IKEv2 or OpenVPN for the most secure VPN connection. We support the very secure GCM cipher mode (AES-256-GCM) together with 4096 bit RSA and Diffie Hellman keys. We also enforce DHE/ECDHE enabled cipher suites and key exchange is done with Diffie-Hellman, providing forward secrecy.
10. For OpenVPN, we stop IPv6 and DNS leaks with the OpenVPN config, and we also disable and blackhole all IPv6 traffic server side. Our custom VPN app provides 100% IPV6 and DNS leak protection client side and we are working on adding a 100% working kill switch there soon.
11. We use dedicated servers which are hosted in 3rd party data centers, but they do not have access to login or manage the server. We run our own DNS servers which do not save any logs. Among others we use Steadfast, i3D, Zenex5ive, Worldstream, Evoluso, Estnoc,Amanah, Voxility, Rackend, CherryServers.
12. We do not now offer virtual locations. Our servers are in USA, UK, Australia, Brazil, Canada, Czech Republic, Estonia, France, Germany, Japan, Lithuania, Luxembourg, Netherlands, Norway, Romania, Spain, Switzerland and Ukraine.
1. We do not log or store any traffic, IP addresses or any other kind of data that would allow identification of our users or their activities. The anonymity and privacy of our users is our highest priority and the Perfect Privacy infrastructure was built with this in mind.
2. Perfect Privacy is operated by Vectura Datamanagement, registered in Zug, Switzerland.
3. The primary method to mitigate abuse is reacting to email tickets. In case of malicious activity towards specific targets, we block IP addresses or ranges so they are not accessible from our VPN servers. Additionally, we have limits on new outgoing connections for protocols like SSH, IMAP, and SMTP to prevent automated spam and brute force attacks. We do not limit or keep track of the number of connections per user.
4. All email and support tools are developed and hosted in-house under our control. We use Google Analytics for website optimization and better market reach, but with the anonymizeIp parameter set. However, Perfect Privacy users are exempted from any tracking by Google Analytics and are also able to use our TrackStop filter which will block any tracking (as well as ads and known malware domains) directly on our servers.
5. Because we do not host any data, DMCA notices do not directly affect us. However, we do receive copyright violation notices for file-sharing in which case we truthfully reply that we have no data that would allow us to identify the responsible party.
6. The only step on our side is to inform the contacting party that we do not have any data that would allow the identification of a user. There had been incidents in the past where Perfect Privacy servers have been seized but never was any user information compromised that way. Since no logs are stored in the first place and additionally all our services are running within ramdisks, a server seizure will never compromise our customers. In August 2016 Dutch Authorities seized two of our servers in Rotterdam and no user data was compromised.
7. Yes, BitTorrent and other file sharing is generally allowed and treated equally to other traffic. However, at certain locations that are known to treat copyright violations rather harshly (very quick termination of servers) we block the most popular torrent trackers to reduce the impact of this problem. Currently, this is the case for servers located in the United States and France.
8. We offer a variety of payment options ranging from anonymous methods such as sending cash, or Bitcoin. However, we also offer payment with PayPal and credit cards for users who prefer these options. Because we do not monitor or log IP assignments or account usage, there is no link to the payments.
9. While we offer a range of connection possibilities we would recommend using OpenVPN with 256 bit AES encryption. Additional security can be established by using a cascaded connection over up to four hops and by activating NeuroRouting for optimized routing to keep all traffic in the encrypted VPN network as long as possible.
10. Our VPN client versions for Windows and MacOS both have “kill-switch” functionality (firewall protection against IP and DNS leaks) integrated.
11. All our VPN servers are dedicated servers that run in various data centers around the world. While we have no physical access to the servers, they all are running within RAM disks only and are fully encrypted. We operate our own DNS servers.
12. Currently, we offer servers in 23 countries. All servers are located in the city displayed in the host name – there are no “virtual locations”. For full details about all servers locations please check our server status site as we are constantly adding new servers.
1. We keep 0 logs about usage or to match IP-Timestamp to a user.
2. VPN.ht Limited, a Hong Kong Company
3. We allow five concurrent connections with the same UserID.
4. Google Analytics.
5. We do not handle DMCA notices, our data center partners do, and in all cases we do not keep logs so we cannot identify the customer.
6. We will stop updating our Warrant Canary. It has never happened before.
7. Allowed on all our servers.
8. We accept various payment methods: Credit card / PayPal / Cryptocurrency / Other national payments. All are linked by an email.
9. For general use 128bit AES, but we do offer 256bit AES as maximum encryption level.
10. On the next application update.
11. We don’t, but we do have a strong relationship with our partners who operate data centers.
12. We have 127 servers in around 33 countries and we try our best to expand to locations most requested by our customers.
1. We store only payment IP addresses for the reasons of fraud prevention, applies to Credit Card and PayPal payments. We don’t record or store information about what our clients do online and it is practically impossible to reverse track an external IP with a timestamp back to a real user.
2. VPNLand Inc., Canada
3. We use custom modified Radius databases to limit concurrent connections. We have AVs installed on all servers, and obvious known attacks are blocked at the firewall level.
4. We use ZenDesk (former Zopim online chat) online chat. Email and support databases are all in-house.
6. We haven’t received any court order, thankfully. If there is a court order it will be evaluated first and then any action will be taken.
7. P2P is OK on all our VPN servers, except the US ones
8. We use Stripe, PayPal, PaymentWall, BitPay. As said above – IP addresses are logged only for fraud prevention purposes. Payment details are not linked to account usage
9. OpenVPN with AES-256-CBC key, SHA512 Hash Auth, and additional 2048 bit “tls-crypt” key
10. At this moment no, but the work is in progress and with our updated iOS, Android, Windows and Mac apps a “kill-switch” feature will be offered
11. We own half of our infrastructure in Canada, UK and Netherlands. In other countries we rent dedicated servers from hosting companies.
12. USA, Canada, UK, Netherlands, Germany, France, Sweden, Italy, Belgium, Luxembourg, Russian Federation, Singapore, Korea and Japan. VPN Land has no “virtual locations.”
1. We do not log any information that can link a VPN IP-address and timestamp to a specific user. We do not collect connecting IP addresses from our members when they are using Hidester VPN Service.
2. Our company is incorporated under the name of Hidester Limited. We are incorporated in Hong-Kong, as this country does not have any data retention laws or regulations.
3. As explained above, we do measure total traffic volume (incoming and outgoing) by our members on a daily basis, to avoid excessive consumption of bandwidth by abusive users that would significantly reduce quality of service for other members. So far, we do not have had any problem with any our members.
4. Our website analytics tool is Piwik and is self-hosted on our server. This tool records information about hidester.com website visitors, and is not linking in anyway website visitors with our Subscribed Members.
5. Our P2P-enabled servers are opened in countries known by us to not process DMCA or local equivalent. So we in case we receive such enquiry, we simply apologize that we CANNOT provide further information regarding our Member as we do not record the data needed to link traffic sources and destinations.
6. We will reply to such a court order that we do not know which users are using our servers and that we are not legally obliged to do so. This has not happened so far.
7. All P2P-enabled servers are identified in the server list window of Hidester VPN application by a small double arrow icon on the right side of the server name in the list. Some servers are not P2P-enabled for legal reasons (hosting countries could force us to shut them down in case of court summon).
8. We are using Paymentwall, PayPal, and CoinPayments as our payment providers. Paymentwall and PayPal collect payers IPs and we cannot guaranty full anonymity for our Members using Paymentwall (Credit Card) or PayPal. For full anonymity even at account creation level, we recommend our Members to use CoinPayments with many cryptocurrencies of their choice to ensure full anonymity.
But once again, our NO LOG on traffic data does not allow us to link data traffic sources and destinations, which was the cornerstone of our VPN software development on all computer applications (Mac / Windows / Linux).
9. Our most secure VPN protocol is OpenVPN, running with an AES-256-CBC TLS 2048 bits Encryption. We recommend using this one for torrenting, except for Members located in censored countries, where CamoVPN might provide a more stable connection.
10. We provide a kill switch function, as well as a DNS leak protection when using CamoVPN and OpenVPN protocols.
11. We use third-party hosting providers VPS servers. We mostly use well-recommended hosting providers which exist for a long time on the market. We use OpenDNS and Google DNS servers for our services.
12. We have servers located in over 33 countries, the full list is available here. We do not offer virtual locations.
1. We do not keep any logs on our VPN servers that would allow us to do this.
2. BV Internet Services Limited, in the Seychelles.
3. Generally, we just look at network graphs and number of connections and see if there is any abnormal activity. We also block certain sensitive ports that are often used for hacking/spamming.
4. We use Zendesk to deal with support queries and do track referrals from affiliates. We also provide the option to send us PGP encrypted messages via e-mail and also Zendesk. We do not use Cloudflare.
5. We generally find providers that are friendly towards such DMCA notices or where it cannot be avoided, we just keep them as surfing/streaming servers with P2P disabled. These servers are more for geo-location or general purpose surfing rather than P2P. We at no times give out customer information to handle this.
6. We maintain a warrant canary which we do update once a month or when there is a request for information (even if we have not complied with it).
7. We marked a few servers as surfing-streaming, as they are on providers with strict DMCA requirements. All other servers support P2P and are not treated differently from any other traffic.
8. PayPal, Paymentwall, Coinpayments, Paydollar, MolPay, Z-Coin/Z-Cash, direct bank-in and we also accept direct Bitcoin/Dash payments.
9. We recommend OpenVPN, with our Cloak servers running AES-256 bit encryption as well as an XOR patch that obfuscates your traffic. This obfuscation prevents it from being recognized as VPN traffic.
10. Yes we do. Our leak prevention also includes IPv6.
11. They are bare metal boxes hosted in various providers. We use our own DNS servers.
12. Canada, France, Germany, Italy, Japan, Luxembourg, Malaysia, Netherlands, Singapore, Sweden, Switzerland, United Kingdom and USA.
1. No logs, timestamps or IP addresses are kept whatsoever. At SaferVPN, we guarantee that we will never log your browsing activity, data, or IP addresses. This includes any websites you visited, any data you may have downloaded, shared or viewed, and any of your IP address or DNS queries.
In respecting everyone’s right to privacy, we also encrypt all of your data traffic, never share or sell any of your traffic details, never read your traffic, and never identify which traffic is yours.
2. SaferVPN operates under our Safer Social Limited company, under Israeli jurisdiction. Israel has strict privacy regulations which do not include a mandatory data retention policy and only apply specifically within the state.
3. Firstly, we do not monitor our users, and we keep no logs, period. That said, we have an active, proprietary system in place to help mitigate abuse. In addition, we also limit our simultaneous connections to five devices per user.
4. We use standard business tools including Google Analytics to improve our website and provide users with the most relevant information. We also use Zendesk as a secure third-party support platform and SendGrid for transactional emails. Our users’ information is never stored within these apps, rather in a separate proprietary database used solely for support and billing requirements.
Any information about how our customers use the VPN itself (such as browsing history, traffic data or DNS queries) is never revealed to third parties and is never logged or stored by SaferVPN.
5. We have not received any court orders as of yet, but in the case that we would be served with one, we would not be able to offer any information at all. We do not log IP addresses nor browsing activity, and we cannot match any activity to real IP addresses, even if we were asked by the court. We simply don’t have that data.
6. See above.
7. BitTorrent and other file-sharing traffic is welcome on our Dutch (NL) VPN servers without any throttling. It isn’t allowed on our other servers as stated in our Terms of Service, due to our agreements with data centers.
8. Our customers can pay via credit card, PayPal and Bitcoin. Payments are performed exclusively by third-party processors — BlueSnap for credit cards, PayPal for PayPal and CoinBase for Bitcoin — who only get the necessary data to verify the payment. As we don’t monitor account usage, payment details cannot be linked to any IP assignments.
9. In most cases we recommend (and default to) OpenVPN UDP and our cipher suite of AES-256 + RSA4096 + SHA256. Our apps use a 4096-bit CA, AES-256-CBC encryption, TLSv1.2, and SHA512 signatures to authenticate our servers. We use TLS 1.2 on all servers with enabled Perfect Forward Secrecy keys. At the same time, we also offer a wide range of VPN protocols, including OpenVPN, L2TP, IPsec, OpenConnect/AnyConnect (SSL VPN), and iKEV2 – we still offer PPTP for those of you who need it, but we don’t recommend it.
10. SaferVPN provides both an automatic app-level kill switch and a feature for DNS leak protection across all mobile and desktop platforms. We also ensure that our users enjoy Automatic Wi-Fi Security that activates immediate VPN protection across public Wi-Fi hotspots.
11. We use dedicated servers at premium data centers with strong security practices. Due to our special server configuration, no one can access, retain or collect any data. All servers have been set up with a zero logs policy, ensuring that no customer data nor activity is stored on any VPN server.
12. Our servers are physically located in over 34 countries, and across every continent except Antarctica (we’re working on that!).
1. We DO NOT keep any logs. We do not store logs relating to traffic, session, DNS or metadata.
2. We’re registered in the United Kingdom under the name “HEADVPN LTD”
3. We use a pre-configured firewall which is configured by our own technology.
4. Google is the one mail external based system we use. We make standard use of Google Apps and Google Analytics. Of course, we provide 24/7 Live Chat support (powered by Tawk). All other support tools are kept internal for our users and visitors.
5. Since we don’t keep any information on any of our servers there is nothing that we can take down. If we receive a valid DMCA notice we can only take action if the connection is still active (we notify the user and stop the session).
6. We haven’t received any court orders. If that happens, the agency will be informed that no user information is available as we DO NOT keep log. In our practice this was not the case.
7. Yes, we allow P2P/BitTorrent downloading. For P2P/Bittorent traffic we have special VPN servers (which are located in a data center that allows such traffic). On other VPN servers, P2P/Bittorent traffic is blocked.
8. We accept all forms of Credit/Debit cards payments through the Stripe payment gateway, Bitcoins, QIWI, Yandex.Money, WebMoney, AliPay, CashU, iDeal, PaySafecard, and PayPal payment method. We do not store any billing information such as credit cards or addresses.
9. We provide all kinds of encryption methods, including PPTP, L2TP/IPsec, SSTP, OpenVPN and SoftEther protocols. We recommend using OpenVPN protocol as it’s the most secure and using RSA 4096 bit and AES 256 bit encryption keys.
10. We do not offer DNS leak protection via kill switches. DNS leak protection is best handled by using OpenVPN protocol (AES-256-CBC algorithm for encryption).
11. All our VPN servers are hosted in 3rd party data centers with the highest specifications for performance, reliability and security. We have direct access to each server and they all are running within RAM disks (which are fully encrypted).
12. Our VPN servers are located in the United Kingdom, United States, Germany and Netherlands. We do not offer virtual locations.
1. No, we do not keep any such logs. We do not monitor the bandwidth usage, nor the websites that users visit.
2. ZenMate is incorporated under the legal entity “ZenGuard GmbH”, registered and operating under German jurisdiction. Germany is known for its strict internet privacy and security laws, we are therefore bound to Germany’s data privacy rules. The latter are reflected in the company’s strict privacy policies, which are followed rigorously.
3. All of our VPN systems and tools that are used to prevent abuse are proprietary and maintained in-house.
4. For user support we use ZenDesk that holds the email address the user provided us and a name if the user added that to the support ticket. For our website we do use Google Analytics, but with the “anonymize_IP” setting enabled.
5. We answer that due to the absence of any user-related data in regards to the usage with ZenMate we cannot give any support to these authorities, as this kind of data is not logged.
6. Due to the absence of any log data we cannot give any historical data to these authorities. As of now, no judge was ever willing to sign a court order to make us start logging (in general, without a specific suspicion) in the future, as this would result in a breach of several other German/European laws. We therefore have been successfully defending our users’ rights for now more than five years, without having to fear any change anytime soon.
7. Yes, we allow all traffic on all servers – as we do not have any control over the user’s traffic at all.
8. We offer a variety of payment methods depending on the country you are located in. Among others, we support payments via VISA, MasterCard, American Express, PayPal, Sofort Banking. We do not process payments on our own. We contracted with Adyen B.V. as our payment provider for the processing of payments – who is fully PCI DSS and PCI SAQ compliant.
We do not have a linked connection between payment details (which is on Adyen’s side) and account usage (which we do not log) or IP assignment (which happens completely automatically), as these are completely different systems at two different companies.
9. We use the latest TLS 1.2 (RFC 5246) protocol and support different cipher suites with PFS (Default for Chrome is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) and up to TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. No known attack currently target these cyphers. AES 128 is preferred to AES 256. There have been discussions on whether AES 256 extra security was worth the cost, and the result is far from obvious. At the moment, AES 128 is preferred, since it provides bulletproof security, it is really fast and seems to be more resistant to timing attacks.
10. Yes, we provide kill switches in the browser extensions, Windows and Android.
11. We work with a small number of trusted partners that operate premium data centers with strong security practices. Nevertheless, due to the high encryption and the zero-logging policy even at an unauthorized access, the attacker could not get any information about the activity of a specific user, as there is none on our VPN servers.
12. With ZenMate you can relocate your IP address to hide your real location and circumvent network restrictions to unblock geo-restricted sites.
We are currently offering over 30 different country locations to choose from, for example: Germany, Romania, Hong Kong, United States, Austria, Australia, Belgium, Bulgaria, Canada, Czech Republic, Finland, France, Israel, Italy, Japan, Latvia, Luxembourg, Moldova, Netherlands, Norway, Poland, Russia, Singapore, South Africa, Spain, Sweden, Switzerland, Ukraine, United Kingdom, United States.
1. We do not keep any logs that can link a user to a certain IP address. We keep anonymized logs of some usage so that we can improve the service. No single user can ever be identified.
2. We are incorporated in Gibraltar as Buffered Ltd. All card payments are taken via this entity. We take payments on PayPal via our Hungarian subsidiary, which is fully owned by the Gibraltar company.
3. Our own internal tools monitor how many devices a user has connected.
4. We do not use any external email providers, we only use internal traffic analytics (no Google Analytics or any other tracking). We use Livechat.com for live support.
5. We are not a content provider, but a network/transit service, therefore DMCA requests are not applicable to us. If we do receive one we do not attempt to identify the user (since we cannot anyway).
6. This has not happened.
7. Yes, we do not interfere with traffic in this way.
8. We use Checkout.com and PayPal, and Bitpay for bitcoin payments. Since we do not store usage logs of users this cannot be linked to payment providers, however, users should be aware that paying for a VPN with anything other than bitcoin will make it easy to identify that you have at least paid for that particular VPN.
9. Even though blowfish is sufficiently secure, now with hardware-accelerated AES, this is faster than blowfish. Consequently, we are rolling this out everywhere as it greatly improves battery consumption and security, especially in resource-constrained environments like routers and mobiles.
10. Yes we do, we recently released a firewall based killswitch. It blocks all traffic in case of the VPN connection dropping.
11. We use our own DNS servers. We rent servers across the world from providers like Leaseweb and 100TB.
12. We offer connections in 45 countries, and there are no virtual locations.
1. We do not analyze or DPI traffic. We also do not keep logs on VPN nodes. General connection logs are stored on a secure server for seven days to solve network issues if there are any (for example if VPN IP is blocked in China and needs replacement). These logs are deleted after seven days if there are no network problems.
2. Taiwan. Seed4.Me Inc. We are not aware of any legislation requiring to share client information and we are not aware of any precedents in Taiwan, where client information was disclosed. We do not hold much information anyway. On the other hand, we do not welcome illegal activities which potentially harm other people.
3. We use simple firewall rules to avoid some abuses in advance. Regarding concurrent connections: we do not have any limits when Client uses our Windows, MAC, iOS or Android app. When Customer sets up L2TP/PPTP VPN manually he has one simultaneous connections by default, this number can be increased and it’s totally free. We use our own solution to manage abusive accounts and limit concurrent L2TP/PPTP connections.
4. Currently, we utilize Google Analytics and G Suite (ex. Google Apps). Regarding G Suite, we do not store any sensitive information there, only support issues.
5. In case of abuse we null route the IP to keep ourselves in compliance with the DMCA. Currently, we use simple firewall rules to block torrents in countries where the DMCA applies.
6. We will act in accordance with the laws of the jurisdiction, only if court order comes from a jurisdiction where the affected server is located. Fortunately, as I said before, we do not keep any logs on VPN nodes, on the other hand – we do not encourage illegal activity. This never happened.
7. Torrents are allowed on our VPN servers in Switzerland, Sweden, and Latvia. This is torrent-friendly countries with high-quality data centers and networks.
8. We accept Bitcoin, PayPal, Visa, MasterCard, Webmoney, QIWI, Yandex.Money, Bank transfer and In-App purchases in our mobile apps. We do not store sensitive payment information on our servers, in most cases payment system simply sends us a notification about successful payment with the amount of payment. We validate this data and grant access to VPN. BTW, we do not require name of the cardholder when he pays for the VPN in our desktop app.
9. Obfuscated OpenVPN with 2048-bit key will be a good choice, it’s available in our Desktop and Android apps. Also our iOS App has Automatic protection option that guarantees for example that all outgoing connections on open Wi-Fi will be encrypted and passed through secure VPN channel.
10. Yes, we have a kill switch in our Desktop VPN app. Yes, we provide DNS leak protection in our Desktop VPN app.
11. All servers are remotely administered by our team only, no outsourcing. No data is stored on VPN nodes (if the node is confiscated, there will not be any data). We prefer to deal with trustworthy Tier-3 (PCI-DSS) data centers and providers to ensure reliable service with high security. As for DNS, we use Google, users can override these settings with their own.
12. Currently we offer VPN nodes in 21 location: USA, UK, Canada, France, Russia, Switzerland (torrent-friendly), Sweden (torrent-friendly), Belgium, Ukraine, Latvia (torrent-friendly), Bulgaria, Netherlands, Spain, Germany, Italy, India, Hong Kong, Singapore, Israel, Taiwan and South Korea.
We offer one virtual location. Currently, we try not to fake IP locations and provide real IPs directly from the country where the VPN server is physically located.
1. We keep connection logs for one day to help us in troubleshooting customers’ connection problems but also to identify attacks (e.g. bruteforce, account theft). This information contains IP address, connection start and end time, protocol used (including port) and amount of data transferred.
2. Netsec Interactive Solutions SRL, registered in Romania.
3. There are automated firewall rules that can kick-in in the event of some specific abusive activities, manual intervention can be done when absolutely necessary in order to maintain the infrastructure stable and reliable for everyone. Concurrent connections are limited by the authentication back-ends.
5. We are handling DMCA complaints internally without involving the users (i.e. we are not forwarding anything). We use shared IP addresses so it’s not possible to identify the users.
6. It never happened. In such event, we would rely on legal advice.
7. It is allowed.
8. All major cryptocurrencies, PayPal, credit cards, Perfect Money, several country-specific payment methods, gift cards. Payment with cryptocurrencies can be anonymous.
9. OpenVPN using Elliptic Curve Cryptography for Key Exchange (ECDHE, curve secp256k1) is used by default in most cases. We also support RSA-4096, SHA256 and SHA512 for digest/HMAC. For data encryption we use AES-256-GCM and AES-128-GCM.
10. Yes, such features are embedded in our client software.
11. We have physical control of our servers in Romania. In other countries, we rent or collocate our hardware. We use our own DNS resolvers and all DNS traffic between VPN gateways and DNS resolvers is encrypted.
12. We don’t use “virtual locations”. All servers are physically located in several countries (and growing), such as: Australia, Canada, Switzerland, Germany, Spain, Finland, France, Hong Kong, Italy, Japan, South Korea, Lithuania, Luxembourg, Mexico, Netherlands, Norway, Poland, Portugal, Romania, Sweden, Singapore, Taiwan, UK, USA.
1. We keep limited session logs for all of our services. These logs record the duration of a connection, the IP address used for the connection and the number of bytes transferred.
These logs are typically kept for 72 hours, usually less, after which they are purged. We log this data for fraud and abuse detection/prevention. Since we use shared IPs on our servers, and do not log activity, it is difficult to associate specific activity with individual users.
2. IronSocket is owned and operated by Pusa and Daga Hong Kong Limited in the jurisdiction of the Hong Kong Special Administrative Region.
3. We do not use any third-party email providers or support tools. We use Google Analytics and HasOffers which have minimal visitor tracking information used for website usage reporting and management of our affiliate program, respectively.
4. IronSocket is not subject to the DMCA or any international equivalent. We do NOT host any user-uploaded content on any of our servers. While IronSocket is not subject to DMCA, some of our hosting and data center partners reside in locations that are. If they escalate a DMCA notice to us, we reply to the provider that we are a service provider like them, and that we do not log our user’s activity.
5. This has not happened. It is our policy to cooperate with legal orders that are valid under Hong Kong SAR law. The process to address such request is: (A) Verify the order is legal and valid. (B) Consult with legal counsel to determine what we are required to provide. (C) Determine if we have the data being requested.
6. P2P traffic is allowed on servers in countries where such traffic is not restricted. We do not allow P2P on all servers due to the legal pressure on the data centers in certain regions of the world. All traffic is treated equally on our network.
7. We accept credit / debit card payments via SafeCharge and PayPal. Bitcoin transactions are processed by BitPay and major US brand gift cards are handled by PayGarden. We do not collect sensitive payment information. Any sensitive payment information is maintained by each respective payment processor and is linked by a unique transaction number.
8. OpenVPN with strong encryption: AES 256-bit encryption with SHA256 message authentication, using a 4096-bit key for secure authentication.
9. We are currently beta testing a new client for Microsoft Windows systems that offers DNS leak protection and VPN drop protection. VPN drop protection has the option of killing specific applications or the system’s network connection.
10. We are currently beta testing a new client for Microsoft Windows systems that offers support for the OpenVPN, L2TP, and PPTP VPN protocols.
11. We host and maintain our own DNS servers. We manage all our VPN servers but they are hosted and maintained by third-party data centers. We vet all providers prior to engaging their services and we continuously evaluate the quality of service and responsiveness to our requirements and requests.
12. We have hundreds of servers in 38 different countries and are always adding more. The most up-to-date list can be found here.
Note: several of the providers listed in this article are TorrentFreak sponsors. We reserve the first three spots for our sponsors, as a courtesy.
VPN providers who want to be in future question rounds are free to get in touch.
Post Syndicated from Ernesto original https://torrentfreak.com/steal-show-s03e13-tao-dao/
If you enjoy this episode, consider becoming a patron and getting involved with the show. Check out Steal This Show’s Patreon campaign: support us and get all kinds of fantastic benefits!
In this episode, we meet Chris Beams, founder of the decentralized cryptocurrency exchange Bisq. We discuss the concept of DAOs (Decentralised Autonomous Organisations) and whether The Pirate Bay was an early example; how the start of Bitcoin parallels the start of the Internet itself; and why the meretricious Bitcoin Cash fork of Bitcoin is based on a misunderstanding of Open Source development.
Finally, we get into Bisq itself, discussing the potential political importance of decentralized crypto exchanges in the context of any future attempts by the financial establishment to control cryptocurrency.
Steal This Show aims to release bi-weekly episodes featuring insiders discussing copyright and file-sharing news. It complements our regular reporting by adding more room for opinion, commentary, and analysis.
The guests for our news discussions will vary, and we’ll aim to introduce voices from different backgrounds and persuasions. In addition to news, STS will also produce features interviewing some of the great innovators and minds.
Host: Jamie King
Guest: Chris Beams
Produced by Jamie King
Edited & Mixed by Riley Byrne
Original Music by David Triana
Web Production by Siraje Amarniss
Post Syndicated from Eevee original https://eev.ee/blog/2018/02/18/tech-wishes-for-2018/
Anonymous asks, via money:
What would you like to see happen in tech in 2018?
(answer can be technical, social, political, combination, whatever)
I’m not really qualified to speak in depth about either of these things, but let me put my foot in my mouth anyway:
Bitcoin was a neat idea. No, really! Decentralization is cool. Overhauling our terrible financial infrastructure is cool. Hash functions are cool.
Unfortunately, it seems to have devolved into mostly a get-rich-quick scheme for nerds, and by nearly any measure it’s turning into a spectacular catastrophe. Its “success” is measured in how much a bitcoin is worth in US dollars, which is pretty close to an admission from its own investors that its only value is in converting back to “real” money — all while that same “success” is making it less useful as a distinct currency.
Blah, blah, everyone already knows this.
What concerns me slightly more is the gold rush hype cycle, which is putting cryptocurrency and “blockchain” in the news and lending it all legitimacy. People have raked in millions of dollars on ICOs of novel coins I’ve never heard mentioned again. (Note: again, that value is measured in dollars.) Most likely, none of the investors will see any return whatsoever on that money. They can’t, really, unless a coin actually takes off as a currency, and that seems at odds with speculative investing since everyone either wants to hoard or ditch their coins. When the coins have no value themselves, the money can only come from other investors, and eventually the hype winds down and you run out of other investors.
I fear this will hurt a lot of people before it’s over, so I’d like for it to be over as soon as possible.
That said, the hype itself has gotten way out of hand too. First it was the obsession with “blockchain” like it’s a revolutionary technology, but hey, Git is a fucking blockchain. The novel part is the way it handles distributed consensus (which in Git is basically left for you to figure out), and that’s uniquely important to currency because you want to be pretty sure that money doesn’t get duplicated or lost when moved around.
But now we have startups trying to use blockchains for website backends and file storage and who knows what else? Why? What advantage does this have? When you say “blockchain”, I hear “single Git repository” — so when you say “email on the blockchain”, I have an aneurysm.
Bitcoin seems to have sparked imagination in large part because it’s decentralized, but I’d argue it’s actually a pretty bad example of a decentralized network, since people keep forking it. The ability to fork is a feature, sure, but the trouble here is that the Bitcoin family has no notion of federation — there is one canonical Bitcoin ledger and it has no notion of communication with any other. That’s what you want for currency, not necessarily other applications. (Bitcoin also incentivizes frivolous forking by giving the creator an initial pile of coins to keep and sell.)
And federation is much more interesting than decentralization! Federation gives us email and the web. Federation means I can set up my own instance with my own rules and still be able to meaningfully communicate with the rest of the network. Federation has some amount of tolerance for changes to the protocol, so such changes are more flexible and rely more heavily on consensus.
Federation is fantastic, and it feels like a massive tragedy that this rekindled interest in decentralization is mostly focused on peer-to-peer networks, which do little to address our current problems with centralized platforms.
And hey, you know what else is federated? Banks.
Again, the tech is cool and all, but the marketing hype is getting way out of hand.
Maybe what I really want from 2018 is less marketing?
For one, I’ve seen a huge uptick in uncritically referring to any software that creates or classifies creative work as “AI”. Can we… can we not. It’s not AI. Yes, yes, nerds, I don’t care about the hair-splitting about the nature of intelligence — you know that when we hear “AI” we think of a human-like self-aware intelligence. But we’re applying it to stuff like a weird dog generator. Or to whatever neural network a website threw into production this week.
And this is dangerously misleading — we already had massive tech companies scapegoating The Algorithm™ for the poor behavior of their software, and now we’re talking about those algorithms as though they were self-aware, untouchable, untameable, unknowable entities of pure chaos whose decisions we are arbitrarily bound to. Ancient, powerful gods who exist just outside human comprehension or law.
It’s weird to see this stuff appear in consumer products so quickly, too. It feels quick, anyway. The latest iPhone can unlock via facial recognition, right? I’m sure a lot of effort was put into ensuring that the same person’s face would always be recognized… but how confident are we that other faces won’t be recognized? I admit I don’t follow all this super closely, so I may be imagining a non-problem, but I do know that humans are remarkably bad at checking for negative cases.
Hell, take the recurring problem of major platforms like Twitter and YouTube classifying anything mentioning “bisexual” as pornographic — because the word is also used as a porn genre, and someone threw a list of porn terms into a filter without thinking too hard about it. That’s just a word list, a fairly simple thing that any human can review; but suddenly we’re confident in opaque networks of inferred details?
I don’t know. “Traditional” classification and generation are much more comforting, since they’re a set of fairly abstract rules that can be examined and followed. Machine learning, as I understand it, is less about rules and much more about pattern-matching; it’s built out of the fingerprints of the stuff it’s trained on. Surely that’s just begging for tons of edge cases. They’re practically made of edge cases.
I’m reminded of a point I saw made a few days ago on Twitter, something I’d never thought about but should have. TurnItIn is a service for universities that checks whether students’ papers match any others, in order to detect cheating. But this is a paid service, one that fundamentally hinges on its corpus: a large collection of existing student papers. So students pay money to attend school, where they’re required to let their work be given to a third-party company, which then profits off of it? What kind of a goofy business model is this?
And my thoughts turn to machine learning, which is fundamentally different from an algorithm you can simply copy from a paper, because it’s all about the training data. And to get good results, you need a lot of training data. Where is that all coming from? How many for-profit companies are setting a neural network loose on the web — on millions of people’s work — and then turning around and selling the result as a product?
This is really a question of how intellectual property works in the internet era, and it continues our proud decades-long tradition of just kinda doing whatever we want without thinking about it too much. Nothing if not consistent.
A bit tougher, since computers are pretty alright now and everything continues to chug along. Maybe we should just quit while we’re ahead. There’s some real pie-in-the-sky stuff that would be nice, but it certainly won’t happen within a year, and may never happen except in some horrific Algorithmic™ form designed by people that don’t know anything about the problem space and only works 60% of the time but is treated as though it were bulletproof.
The giants are getting more giant. Maybe too giant? Granted, it could be much worse than Google and Amazon — it could be Apple!
Amazon has its own delivery service and brick-and-mortar stores now, as well as providing the plumbing for vast amounts of the web. They’re not doing anything particularly outrageous, but they kind of loom.
Ad company Google just put ad blocking in its majority-share browser — albeit for the ambiguously-noble goal of only blocking obnoxious ads so that people will be less inclined to install a blanket ad blocker.
Twitter is kind of a nightmare but no one wants to leave. I keep trying to use Mastodon as well, but I always forget about it after a day, whoops.
Facebook sounds like a total nightmare but no one wants to leave that either, because normies don’t use anything else, which is itself direly concerning.
IRC is rapidly bleeding mindshare to Slack and Discord, both of which are far better at the things IRC sadly never tried to do and absolutely terrible at the exact things IRC excels at.
The problem is the same as ever: there’s no incentive to interoperate. There’s no fundamental technical reason why Twitter and Tumblr and MySpace and Facebook can’t intermingle their posts; they just don’t, because why would they bother? It’s extra work that makes it easier for people to not use your ecosystem.
I don’t know what can be done about that, except that hope for a really big player to decide to play nice out of the kindness of their heart. The really big federated success stories — say, the web — mostly won out because they came along first. At this point, how does a federated social network take over? I don’t know.
I… don’t really have a solid grasp on what’s happening in tech socially at the moment. I’ve drifted a bit away from the industry part, which is where that all tends to come up. I have the vague sense that things are improving, but that might just be because the Rust community is the one I hear the most about, and it puts a lot of effort into being inclusive and welcoming.
So… more projects should be like Rust? Do whatever Rust is doing? And not so much what Linus is doing.
I haven’t heard this brought up much lately, but it would still be nice to see. The Bay Area runs on open source and is raking in zillions of dollars on its back; pump some of that cash back into the ecosystem, somehow.
I’ve seen a couple open source projects on Patreon, which is fantastic, but feels like a very small solution given how much money is flowing through the commercial tech industry.
Nice. Fuck ads.
One might wonder where the money to host a website comes from, then? I don’t know. Maybe we should loop this in with the above thing and find a more informal way to pay people for the stuff they make when we find it useful, without the financial and cognitive overhead of A Transaction or Giving Someone My Damn Credit Card Number. You know, something like Bitco— ah, fuck.
I don’t know. What are we working on at the moment? Wayland? Do Wayland, I guess. Oh, and hi-DPI, which I hear sucks. And please fix my sound drivers so PulseAudio stops blaming them when it fucks up.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/02/water_utility_i.html
A water utility in Europe has been infected by cryptocurrency mining software. This is a relatively new attack: hackers compromise computers and force them to mine cryptocurrency for them. This is the first time I’ve seen it infect SCADA systems, though.
It seems that this mining software is benign, and doesn’t affect the performance of the hacked computer. (A smart virus doesn’t kill its host.) But that’s not going to always be the case.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/01/new_malware_hij.html
This is a clever attack.
After gaining control of the coin-mining software, the malware replaces the wallet address the computer owner uses to collect newly minted currency with an address controlled by the attacker. From then on, the attacker receives all coins generated, and owners are none the wiser unless they take time to manually inspect their software configuration.
So far it hasn’t been very profitable, but it — or some later version — eventually will be.
Post Syndicated from Ernesto original https://torrentfreak.com/five-fantastic-piracy-predictions-for-2018-180101/
On January 1, the TF newsroom often wonders what copyright and piracy news the new year will have in store.
Today we want to give our readers some insight into some of the things that crossed our minds.
Granted, predicting the future isn’t an easy task, but the ‘fantastic’ forecasts below give plenty of food for thought and discussion.
Hollywood’s concerns over pirate streaming boxes will reach unprecedented levels this year. After successful cases against box sellers and add-on developers, the major movie studios will take aim at the hardware.
A Chinese power cord manufacturer, believed to be linked to more than half of all the streaming boxes sold throughout the world, will be taken to court.
The movie studios argue that the power-cords are essential to make pirate streaming boxes work. They are therefore liable for contributory copyright infringement and should pay for the billions in losses they are partly responsible for.
In 2017 The Pirate Bay added a cryptocoin miner to its website, an example many other pirate sites followed. In the new year, there will be another cryptocurrency innovation that will have an even more profound effect.
After Google Chrome adds its default ad-blocker to the Chrome browser, a coalition of torrent sites will release The Pirate Coin.
With this new cryptocurrency, users can buy all sorts of perks and features on their favorite download and streaming portals. From priority HD streaming, through personalized RSS feeds, to VIP access – Pirate Coins can pay for it all.
The new coin will see mass adoption within a few months and provide a stable income for pirate sites, which no longer see the need for traditional ads.
For years on end, the major music labels have complained bitterly about YouTube. While the video service earned them millions, they demanded better deals and less piracy.
In 2018, YouTube will run out of patience. The video streaming platform will launch a counter-attack and start its own record label. With a talent pool of millions of aspiring artists among its users, paired with the right algorithms, they are a force to be reckoned with.
After signing the first artists, YouTube will scold the other labels for not giving their musicians the best deals.
While there’s still a lot of public outrage against the net neutrality repeal in 2018, torrent users are no longer complaining. After the changes are approved by Congress, Comcast will announce its first non-neutral Internet package.
The Torrent Pro (®) package will allow subscribers to share files via BitTorrent in an optimized network environment.
Their traffic will be routed over separate lanes with optimal connections to India, while minimizing interference from regular Internet users.
The new package comes with a free VPN, of course, to ensure that all transfers take place in a fully encrypted setting without having to worry about false notifications from outsiders.
The Pirate Bay turns 15 years old in 2018, which is an unprecedented achievement. While the site’s appearance hasn’t changed much since the mid-2000s, technically it has been changed down quite a bit.
The resource-intensive tracker was removed from the site years ago, for example, and shortly after, the .torrent files followed. This made The Pirate Bay more ‘portable’ and easier to operate, the argument was.
In 2018 The Pirate Bay will take things even further. Realizing that torrents are no longer as modern as they once were, TPB will make the switch to streaming, at least for video.
While the site has experimented with streaming browser add-ons in the past, it will implement WebTorrent streaming support in the new year. This means users can stream high-quality videos directly from the TPB website.
The new streaming feature will be released together with an overhaul of the search engine and site navigation, allowing users to follow TV-shows more easily, and see what’s new at a glimpse.
Don’t believe in any of the above? Look how accurate we were last year! Don’t forget the salt…
Post Syndicated from Ernesto original https://torrentfreak.com/lol-the-pirate-bay-adds-donation-options-mocks-bitcoin-cash-171227/
The Pirate Bay has been both an early adopter and a pioneer when it comes to cryptocurrencies.
Pirate Bay’s interest in cryptocurrency wasn’t new though.
The torrent site first allowed people to donate Bitcoin five years ago, which paid off right away. In little more than a day, 73 transactions were sent to Pirate Bay’s address, adding up to a healthy 5.56 BTC, roughly $700 at the time.
Today, the site still accepts Bitcoin donations. While it doesn’t bring in enough to pay all the bills, it doesn’t hurt either.
Around Christmas, The Pirate Bay decided to expand its cryptocurrency donation options. In addition to the traditional Bitcoin address, the torrent site added a Bitcoin Segwit Bech32 option, plus Litecoin and Monero addresses.
While the new donation options show that The Pirate Bay has faith in multiple currencies, the site doesn’t appear to be a fan of them all. The Bitcoin fork “Bitcoin Cash” is also listed, for example, but in a rather unusual way.
“BCH: Bcash. LOL,” reads a mention posted on the site.
Those who are following the cryptocurrency scene will know that there has been quite a bit of infighting between some supporters of the Bitcoin Cash project and those of the original Bitcoin in recent weeks.
Several high-profile individuals have criticized Bitcoin’s high transaction fees and limitations, while others have very little faith in the future of the Bitcoin Cash alternative.
Although there are not a lot of details available, the “LOL” mention suggests that the TPB team is in the latter camp.
In recent years The Pirate Bay has received a steady but very modest flow of Bitcoin donations. Lasy year we calculated that it ‘raked’ in roughly $9 per day.
However, with the exponential price increase recently, the modest donations now look pretty healthy. Since 2013 The Pirate Bay received well over 135 BTC in donations, which is good for $2 million today. LOL.
Post Syndicated from Robert Graham original http://blog.erratasec.com/2017/12/bitcoin-in-crypto-we-trust.html
Tim Wu, who coined “net neutrality”, has written an op-ed on the New York Times called “The Bitcoin Boom: In Code We Trust“. He is wrong about “code”.
Wu builds a big manifesto about how real-world institutions can’t be trusted. Certainly, this reflects the rhetoric from a vocal wing of Bitcoin fanatics, but it’s not the Bitcoin manifesto.
Instead, the word “trust” in the Bitcoin paper is much narrower, referring to how online merchants can’t trust credit-cards (for example). When I bought school supplies for my niece when she studied in Canada, the online site wouldn’t accept my U.S. credit card. They didn’t trust my credit card. However, they trusted my Bitcoin, so I used that payment method instead, and succeeded in the purchase.
Real-world currencies like dollars are tethered to the real-world, which means no single transaction can be trusted, because “they” (the credit-card company, the courts, etc.) may decide to reverse the transaction. The manifesto behind Bitcoin is that a transaction cannot be reversed — and thus, can always be trusted.
Deliberately confusing the micro-trust in a transaction and macro-trust in banks and governments is a sort of bait-and-switch.
“It was, after all, a carnival of human errors and misfeasance that inspired the invention of Bitcoin in 2009, namely, the financial crisis.”
Not true. Bitcoin did not appear fully formed out of the void, but was instead based upon a series of innovations that predate the financial crisis by a decade. Moreover, the financial crisis had little to do with “currency”. The value of the dollar and other major currencies were essentially unscathed by the crisis. Certainly, enthusiasts looking backward like to cherry pick the financial crisis as yet one more reason why the offline world sucks, but it had little to do with Bitcoin.
A generation ago, multi-user time-sharing computer systems had a similar problem. Before strong encryption, users had to rely on password protection to secure their files, placing trust in the system administrator to keep their information private. Privacy could always be overridden by the admin based on his judgment call weighing the principle of privacy against other concerns, or at the behest of his superiors. Then strong encryption became available to the masses, and trust was no longer required. Data could be secured in a way that was physically impossible for others to access, no matter for what reason, no matter how good the excuse, no matter what.
You don’t possess Bitcoins. Instead, all the coins are on the public blockchain under your “address”. What you possess is the secret, private key that matches the address. Transferring Bitcoin means using your private key to unlock your coins and transfer them to another. If you print out your private key on paper, and delete it from the computer, it can never be hacked.
Trust is in this crypto operation. Trust is in your private crypto key.
The manifesto “in code we trust” has been proven wrong again and again. We don’t trust computer code (software) in the cryptocurrency world.
The most profound example is something known as the “DAO” on top of Ethereum, Bitcoin’s major competitor. Ethereum allows “smart contracts” containing code. The quasi-religious manifesto of the DAO smart-contract is that the “code is the contract”, that all the terms and conditions are specified within the smart-contract code, completely untethered from real-world terms-and-conditions.
Then a hacker found a bug in the DAO smart-contract and stole most of the money.
In principle, this is perfectly legal, because “the code is the contract”, and the hacker just used the code. In practice, the system didn’t live up to this. The Ethereum core developers, acting as central bankers, rewrote the Ethereum code to fix this one contract, returning the money back to its original owners. They did this because those core developers were themselves heavily invested in the DAO and got their money back.
Similar things happen with the original Bitcoin code. A disagreement has arisen about how to expand Bitcoin to handle more transactions. One group wants smaller and “off-chain” transactions. Another group wants a “large blocksize”. This caused a “fork” in Bitcoin with two versions, “Bitcoin” and “Bitcoin Cash”. The fork championed by the core developers (central bankers) is worth around $20,000 right now, while the other fork is worth around $2,000.
So it’s still “in central bankers we trust”, it’s just that now these central bankers are mostly online instead of offline institutions. They have proven to be even more corrupt than real-world central bankers. It’s certainly not the code that is trusted.
Wu repeats the well-known reference to Amazon during the dot-com bubble. If you bought Amazon’s stock for $107 right before the dot-com crash, it still would be one of wisest investments you could’ve made. Amazon shares are now worth around $1,200 each.
The implication is that Bitcoin, too, may have such long term value. Even if you buy it today and it crashes tomorrow, it may still be worth ten-times its current value in another decade or two.
This is a poor analogy, for three reasons.
The first reason is that we knew the Internet had fundamentally transformed commerce. We knew there were going to be winners in the long run, it was just a matter of picking who would win (Amazon) and who would lose (Pets.com). We have yet to prove Bitcoin will be similarly transformative.
The second reason is that businesses are real, they generate real income. While the stock price may include some irrational exuberance, it’s ultimately still based on the rational expectations of how much the business will earn. With Bitcoin, it’s almost entirely irrational exuberance — there are no long term returns.
The third flaw in the analogy is that there are an essentially infinite number of cryptocurrencies. We saw this today as Coinbase started trading Bitcoin Cash, a fork of Bitcoin. The two are nearly identical, so there’s little reason one should be so much valuable than another. It’s only a fickle fad that makes one more valuable than another, not business fundamentals. The successful future cryptocurrency is unlikely to exist today, but will be invented in the future.
The lessons of the dot-com bubble is not that Bitcoin will have long term value, but that cryptocurrency companies like Coinbase and BitPay will have long term value. Or, the lesson is that “old” companies like JPMorgan that are early adopters of the technology will grow faster than their competitors.
Bitcoin is not about replacing real-world institutions but about untethering online transactions.
The trust in Bitcoin is in crypto — the power crypto gives individuals instead of third-parties.
The trust is not in the code. Bitcoin is a “cryptocurrency” not a “codecurrency”.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/12/crypto_is_being.html
I agree with Lorenzo Franceschi-Bicchierai, “Cryptocurrencies aren’t ‘crypto’“:
Lately on the internet, people in the world of Bitcoin and other digital currencies are starting to use the word “crypto” as a catch-all term for the lightly regulated and burgeoning world of digital currencies in general, or for the word “cryptocurrency” — which probably shouldn’t even be called “currency,” by the way.
To be clear, I’m not the only one who is mad about this. Bitcoin and other technologies indeed do use cryptography: all cryptocurrency transactions are secured by a “public key” known to all and a “private key” known only to one party — this is the basis for a swath of cryptographic approaches (known as public key, or asymmetric cryptography) like PGP. But cryptographers say that’s not really their defining trait.
“Most cryptocurrency barely has anything to do with serious cryptography,” Matthew Green, a renowned computer scientist who studies cryptography, told me via email. “Aside from the trivial use of digital signatures and hash functions, it’s a stupid name.”
It is a stupid name.
Post Syndicated from Jeff Barr original https://aws.amazon.com/blogs/aws/amazon-guardduty-continuous-security-monitoring-threat-detection/
Threats to your IT infrastructure (AWS accounts & credentials, AWS resources, guest operating systems, and applications) come in all shapes and sizes! The online world can be a treacherous place and we want to make sure that you have the tools, knowledge, and perspective to keep your IT infrastructure safe & sound.
Amazon GuardDuty is designed to give you just that. Informed by a multitude of public and AWS-generated data feeds and powered by machine learning, GuardDuty analyzes billions of events in pursuit of trends, patterns, and anomalies that are recognizable signs that something is amiss. You can enable it with a click and see the first findings within minutes.
How it Works
GuardDuty voraciously consumes multiple data streams, including several threat intelligence feeds, staying aware of malicious IP addresses, devious domains, and more importantly, learning to accurately identify malicious or unauthorized behavior in your AWS accounts. In combination with information gleaned from your VPC Flow Logs, AWS CloudTrail Event Logs, and DNS logs, this allows GuardDuty to detect many different types of dangerous and mischievous behavior including probes for known vulnerabilities, port scans and probes, and access from unusual locations. On the AWS side, it looks for suspicious AWS account activity such as unauthorized deployments, unusual CloudTrail activity, patterns of access to AWS API functions, and attempts to exceed multiple service limits. GuardDuty will also look for compromised EC2 instances talking to malicious entities or services, data exfiltration attempts, and instances that are mining cryptocurrency.
GuardDuty operates completely on AWS infrastructure and does not affect the performance or reliability of your workloads. You do not need to install or manage any agents, sensors, or network appliances. This clean, zero-footprint model should appeal to your security team and allow them to green-light the use of GuardDuty across all of your AWS accounts.
Findings are presented to you at one of three levels (low, medium, or high), accompanied by detailed evidence and recommendations for remediation. The findings are also available as Amazon CloudWatch Events; this allows you to use your own AWS Lambda functions to automatically remediate specific types of issues. This mechanism also allows you to easily push GuardDuty findings into event management systems such as Splunk, Sumo Logic, and PagerDuty and to workflow systems like JIRA, ServiceNow, and Slack.
A Quick Tour
Let’s take a quick tour. I open up the GuardDuty Console and click on Get started:
Then I confirm that I want to enable GuardDuty. This gives it permission to set up the appropriate service-linked roles and to analyze my logs by clicking on Enable GuardDuty:
My own AWS environment isn’t all that exciting, so I visit the General Settings and click on Generate sample findings to move ahead. Now I’ve got some intriguing findings:
I can click on a finding to learn more:
The magnifying glass icons allow me to create inclusion or exclusion filters for the associated resource, action, or other value. I can filter for all of the findings related to this instance:
I can customize GuardDuty by adding lists of trusted IP addresses and lists of malicious IP addresses that are peculiar to my environment:
After I enable GuardDuty in my administrator account, I can invite my other accounts to participate:
Once the accounts decide to participate, GuardDuty will arrange for their findings to be shared with the administrator account.
I’ve barely scratched the surface of GuardDuty in the limited space and time that I have. You can try it out at no charge for 30 days; after that you pay based on the number of entries it processes from your VPC Flow, CloudTrail, and DNS logs.
Amazon GuardDuty is available in production form in the US East (Northern Virginia), US East (Ohio), US West (Oregon), US West (Northern California), EU (Ireland), EU (Frankfurt), EU (London), South America (São Paulo), Canada (Central), Asia Pacific (Tokyo), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), and Asia Pacific (Mumbai) Regions and you can start using it today!
If you are into cryptocurrency or blockchain at all, you will have heard about the Ethereum Parity Bug that has basically thrown $280 Million value or more of Ethereum tokens in the bin.
It’s a bit of a mess really, and a mistake by the developers who introduced it after fixing another bug back in July to do with multisig wallets (wallets which multiple people have to agree to transactions).
You can see the thread on Github here: anyone can kill your contract #6995
There’s a lot of hair-pulling among Ethereum alt-coin hoarders today – after a programming blunder in Parity’s wallet software let one person bin $280m of the digital currency belonging to scores of strangers, probably permanently.
Post Syndicated from Andy original https://torrentfreak.com/pirate-friendly-coinhives-dns-hacked-user-hashes-stolen-171025/
Now, however, Coinhive has an unexpected and potentially serious problem to deal with. The company has just revealed that on Monday night its DNS records maintained at Cloudflare were accessed by a third-party, allowing an unnamed attacker to redirect user mining traffic to a server they controlled.
The company hasn’t revealed how long the unauthorized redirect stayed in place for, but it appears that all coins mined on sites hosting Coinhive’s script were ‘stolen’ during the period, instead of being credited to their accounts.
Coinhive stresses that no user account information was leaked and that its website and database servers were uncompromised. But while that’s good news, the method that the hackers used to access the company’s DNS provider lay in a basic security error.
Back in 2014, crowdfunding platform Kickstarter – which Coinhive used – fell victim to a security breach. After being advised of the fact by law enforcement officials, Kickstarter shut down unauthorized access, began strengthening its systems, while advising customers to do the same.
While Coinhive did respond to the warning to ensure that its data was safe, something slipped through the net. One piece of information – its Cloudflare account password – remained unchanged after the Kickstarter attack. It now seems the most likely culprit for this week’s DNS breach.
“The root cause for this incident was an insecure password for our Cloudflare account that was probably leaked with the Kickstarter data breach back in 2014,” Coinhive says.
“We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old Cloudflare account.”
While not mentioning Coinhive explicitly, Kickstarter warned earlier this month that the 2014 incident may not be completely over. In an update posted on the site Oct 6, Kickstarter noted that some of its customers had recently been hearing more information about the breach from notification service Have I been pwned?.
In the meantime, Coinhive has issued an apology and indicated it will find ways to reimburse sites which have lost revenue as a result of the DNS hack.
“We’re deeply sorry about this severe oversight,” the company said. “Our current plan is to credit all sites with an additional 12 hours of their the daily average hashrate. Please give us a few hours to roll this out.”
Based on earlier calculations carried out by TF, The Pirate Bay (if it was mining during the breach) could be potentially owed around $200 for the lost hashes, give or take. After turning off mining in September, the site reactivated it again in October, with no opt-out. The situation appears fluid.
While the hack is obviously a disappointment, Coinhive appears to have advised its users quickly and transparently, which under the circumstances is exactly what’s required. The fact that it’s offering compensation to users will also be welcomed.
The breach is the latest controversy to hit the company. Earlier this month, Cloudflare began banning sites which implemented Coinhive mining without informing their users. The CDN company said it considered non-advised mining as malware.
Post Syndicated from Ernesto original https://torrentfreak.com/pirate-bay-is-mining-cryptocurrency-again-no-opt-out-171011/
The miner utilizes CPU power from visitors to generate Monero coins for the site, providing an extra source of revenue.
The Pirate Bay only tested the option briefly, but that was enough to inspire many others to follow suit. Now, a few weeks later, Pirate Bay has also turned on the miners again.
The miner is not directly embedded in the site’s core code but runs through an ad script. Many ad blockers and anti-malware tools are stopping these request, but people who don’t use any will see a clear spike in CPU usage when they access the site.
The Pirate Bay team previously said that they were testing the miner to see if it can replace ads. While there is some real revenue potential, for now, it’s running in addition to the regular banners. It’s unclear whether the current mining period is another test or if it will run permanently from now on.
The miner does appear to be throttled to a certain degree, so most users might not even notice that it’s running.
Running a cryptocurrency miner such as the Coin-Hive script TPB is currently using is not without risk. Aside from user complaints, there is an issue that may make it harder for the site to operate in the future.
Last week we reported that CDN provider Cloudflare had suspended the account of torrent proxy site ProxyBunker, flagging its coin miner as malware. This means that The Pirate Bay now risks losing the Cloudflare service, which they rely on for DDoS protection, among other things.
Cloudflare’s suspension of ProxyBunker occurred even though the site provided users with an option to disable the miner. This functionality was implemented by Coinhive after the script was misused by some sites, which ran it without alerting their users.
The Pirate Bay currently has no opt-out option, nor has it informed users about the latest mining efforts. This could lead to another problem since Coinhive said it would crack down on customers who failed to keep users in the loop.
“We will verify this opt-in on our servers and will implement it in a way that it can not be circumvented. We will pledge to keep the opt-in intact at all times, without exceptions,” the Coinhive team previously noted.
The Pirate Bay team has not commented on the issue thus far. In theory, it’s possible that a rogue advertiser is responsible for the latest mining efforts. If that’s the case it will be disabled soon enough.
Post Syndicated from Ernesto original https://torrentfreak.com/cloudflare-ceo-has-to-explain-lack-of-pirate-site-terminations-171010/
In August, Cloudflare CEO Matthew Prince decided to terminate the account of controversial neo-Nazi site Daily Stormer.
“I woke up this morning in a bad mood and decided to kick them off the Internet,” he wrote.
The decision was meant as an intellectual exercise to start a conversation regarding censorship and free speech on the internet. In this respect it was a success but the discussion went much further than Prince had intended.
Cloudflare had a long-standing policy not to remove any accounts without a court order, so when this was exceeded, eyebrows were raised. In particular, copyright holders wondered why the company could terminate this account but not those of the most notorious pirate sites.
Adult entertainment publisher ALS Scan raised this question in its piracy liability case against Cloudflare, asking for a 7-hour long deposition of the company’s CEO, to find out more. Cloudflare opposed this request, saying it was overbroad and unneeded, while asking the court to weigh in.
After reviewing the matter, Magistrate Judge Alexander MacKinnon decided to allow the deposition, but in a limited form.
“An initial matter, the Court finds that ALS Scan has not made a showing that would justify a 7 hour deposition of Mr. Prince covering a wide range of topics,” the order (pdf) reads.
“On the other hand, a review of the record shows that ALS Scan has identified a narrow relevant issue for which it appears Mr. Prince has unique knowledge and for which less intrusive discovery has been exhausted.”
ALS Scan will be able to interrogate Cloudflare’s CEO but only for two hours. The deposition must be specifically tailored toward his motivation (not) to use his authority to terminate the accounts of ‘pirating’ customers.
“The specific topic is the use (or non-use) of Mr. Prince’s authority to terminate customers, as specifically applied to customers for whom Cloudflare has received notices of copyright infringement,” the order specifies.
Whether this deposition will help ALS Scan argue its case has yet to be seen. Based on earlier submissions, the CEO will likely argue that the Daily Stormer case was an exception to make a point and that it’s company policy to require a court order to respond to infringement claims.
Meanwhile, more questions are being raised. Just a few days ago Cloudflare suspended the account of a customer for using a cryptocurrency miner. Apparently, Cloudflare classifies these miners as malware, triggering a punishment without a court order.
ALS Scan and other copyright holders would like to see a similar policy against notorious pirate sites, but thus far Cloudflare is having none of it.
Post Syndicated from Andy original https://torrentfreak.com/private-torrent-sites-allow-users-to-mine-cryptocurrency-for-upload-credit-171008/
The basic premise is that a piece of software embedded in a website runs on a user’s machine, utilizing its CPU cycles in order to generate revenue for the site in question. But not everyone likes it.
The main problem has centered around consent. While some sites are giving users the option of whether to be involved or not, others simply run the miner without asking. This week, one site operator suggested to TF that since no one asks whether they can run “shitty” ads on a person’s machine, why should they ask permission to mine?
It’s a controversial point, but it would be hard to find users agreeing on either front. They almost universally insist on consent, wherever possible. That’s why when someone comes up with something innovative to solve a problem, it catches the eye.
Earlier this week a user on Reddit posted a screenshot of a fairly well known private tracker. The site had implemented a mining solution not dissimilar to that appearing on other similar platforms. This one, however, gives the user something back.
First of all, it’s important to note the implementation. The decision to mine is completely under the control of the user, with buttons to start or stop mining. There are even additional controls for how many CPU threads to commit alongside a percentage utilization selector. While still early days, that all sounds pretty fair.
Where this gets even more interesting is how this currency mining affects so-called “upload credit”, an important commodity on a private tracker without which users can be prevented from downloading any content at all.
Very quickly: when BitTorrent users download content, they simultaneously upload to other users too. The idea is that they download X megabytes and upload the same number (at least) to other users, to ensure that everyone in a torrent swarm (a number of users sharing together) gets a piece of the action, aka the content in question.
The amount of content downloaded and uploaded on a private tracker is monitored and documented by the site. If a user has 1TB downloaded and 2TB uploaded, for example, he has 1TB in credit. In basic terms, this means he can download at least 1TB of additional content before he goes into deficit, a position undesirable on a private tracker.
Now, getting more “upload credit” can be as simple as uploading more, but some users find that difficult, either due to the way a tracker’s economy works or simply due to not having resources. If this is the case, some sites allow people to donate real money to receive “upload credit”. On the tracker highlighted in the mining example above, however, it’s possible to virtually ‘trade-in’ some of the mining effort instead.
Tracker politics aside (some people believe this is simply a cash grab opportunity), from a technical standpoint the prospect is quite intriguing.
In a way, the current private tracker system allows users to “mine” upload credits by donating bandwidth to other users of the site. Now they have the opportunity to mine an actual cryptocurrency on the tracker and have some of it converted back into the tracker’s native ‘currency’ – upload credit – which can only be ‘spent’ on the site. Meanwhile, the site’s operator can make a few bucks towards site maintenance.
Another example showing how innovative these mining implementations can be was posted by a member of a second private tracker. Although it’s unclear whether mining is forced or optional, there appears to be complete transparency for the benefit of the user.
In addition to displaying the total number of users mining and the hashes solved per second, the site publishes a ‘Top 10’ list of users mining the most currently, and overall. Again, some people might not like the concept of users mining at all, but psychologically this is a particularly clever implementation.
Utilizing the desire of many private tracker users to be recognizable among their peers due to their contribution to the platform, the charts give a user a measurable status in the community, at least among those who care about such things. Previously these charts would list top uploaders of content but the addition of a ‘Top miner’ category certainly adds some additional spice to the mix.
Mining is a controversial topic which isn’t likely to go away anytime soon. But, for all its faults, it’s still a way for sites to generate revenue, away from the pitfalls of increasingly hostile and easy-to-trace alternative payment systems. The Pirate Bay may have set the cat among the pigeons last month, but it also gave the old gray matter a boost too.
Post Syndicated from Andy original https://torrentfreak.com/cloudflare-bans-sites-for-using-cryptocurrency-miners-171004/
The stealth addition to the platform, which its operators later described as a test, was extremely controversial. While many thought of the miner as a cool and innovative way to generate revenue in a secure fashion, a vocal majority expressed a preference for permission being requested first, in case they didn’t want to participate in the program.
Over the past couple of weeks, several other sites have added similar miners, some which ask permission to run and others that do not. While the former probably aren’t considered problematic, the latter are now being viewed as a serious problem by an unexpected player in the ecosystem.
TorrentFreak has learned that popular CDN service Cloudflare, which is often criticized for not being harsh enough on ‘pirate’ sites, is actively suspending the accounts of sites that deploy cryptocurrency miners on their platforms.
“Cloudflare kicked us from their service for using a Coinhive miner,” the operator of ProxyBunker.online informed TF this morning.
ProxyBunker is a site that that links to several other domains that offer unofficial proxy services for the likes of The Pirate Bay, RARBG, KickassTorrents, Torrentz2, and dozens of other sites. It first tested a miner for four days starting September 23. Official implementation began October 1 but was ended last evening, abruptly.
“Late last night, all our domains got deleted off Cloudflare without warning so I emailed Cloudflare to ask what was going on,” the operator explained.
As the email above shows, Cloudflare cited only a “possible” terms of service violation. Further clarification was needed to get to the root of the problem.
So, just a few minutes later, the site operator contacted Cloudflare, acknowledging the suspension but pointing out that the notification email was somewhat vague and didn’t give a reason for the violation. A follow-up email from Cloudflare certainly put some meat on the bones.
“Multiple domains in your account were injecting Coinhive mining code without
notifying users and without any option to disabling [sic] the mining,” wrote Justin Paine, Head of Trust & Safety at Cloudflare.
“We consider this to be malware, and as such the account was suspended, and all domains removed from Cloudflare.”
ProxyBunker’s operator wrote back to Cloudflare explaining that the Coinhive miner had been running on his domains but that his main domain had a way of disabling mining, as per new code made available from Coinhive.
“We were running the miner on our proxybunker.online domain using Coinhive’s new Javacode Simple Miner UI that lets the user stop the miner at anytime and set the CPU speed it mines at,” he told TF.
Nevertheless, some element of the configuration appears to have fallen short of Cloudflare’s standards. So, shortly after Cloudflare’s explanation, the site operator asked if he could be reinstated if he completely removed the miner from his site. The response was a ‘yes’ but with a stern caveat attached.
“We will remove the account suspension, however do note you’ll need to re-sign up the domains as they were removed as a result of the account suspension. Please note — if we discover similar activity again the domains and account will be permanently blocked,” Cloudflare’s Justin warned.
ProxyBunker’s operator says that while he sees the value in cryptocurrency miners, he can understand why people might be opposed to them too. That being said, he would appreciate it if services like Cloudflare published clear guidelines on what is and is not acceptable.
“We do understand that most users will not like the miner using up a bit of their CPU but we do see the full potential as a new revenue stream,” he explains.
“I think third-party services need to post clear information that they’re not allowed on their services, if that’s the case.”
At time of publication, Cloudflare had not responded to TorrentFreak’s requests for comment.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.