Hello,
This message is a companion to ones that were posted for Qubes and Whonix
as well as TAILS.
A recent study has revealed 14 of the top VPN providers are vulnerable to
leaks via IPv6 as well as DNS.
http://www.engadget.com/2015/06/30/vpns-leak-your-information/
Cryptostorm has been researching VPN service providers for a while and
additional failure modes observed include VPN client binary blobs that
install adware, key loggers, trojans, etc. The details down to the level
of traffic captures from the offending services are found at this
Cryptostorm project site:
http://cleanvpn.org
Cryptostorm's offering is fundamentally different from every other
provider out there. Specifically:
Zero Customer Knowledge VPN - buy a token, hash it, the hash is your
username, your password can be anything. Bitcoin is just one of a number
of purchase paths. Cryptostorm doesn't need to make dramatic vows about
not logging it users - the system can't, as it never *has* your identity.
The hash is impossible to reverse, this provides additional protection
since it's impossible to derive the original token from it.
Adversary Resistant Networking - the Cryptostorm client, an open piece of
Perl code, was modified to interdict the webrtc/STUN public IP address
leak within days after this became public.
https://cryptostorm.org/viewtopic.php?t=8549
Recently, malware analysis experts Kaspersky reported that they faced a
six month battle to eject espionage-ware from their network, identifying
the effort as Duqu Bet, with Bet being the second letter in the Hebrew
alphabet, a not so subtle slap at the Israeli government, whom they
believe to behind the campaign.
https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/
Cryptostorm has had direct experience with Duqu Bet and from that have
developed NIC parameter and sysctl hardening that interdict some of the
midpoint injection methods used. This is still in the process of being
included in the client side configuration, but it an example of the
attention to detail Cryptostorm provides above and beyond the simple
transport of packets.
Cryptostorm offers a free rate limited service which can be found at
http://cryptofree.me - this service provides 256k symmetric capacity and
mixes the free customers in with the paid customers of a busy node. It is
felt that this serves several purposes, providing a no-cost means to
evaluate the product, as well as supporting users in developing countries
who need an alternative to Tor for whatever reason. You can examine the
free service by using this config file:
http://pastebin.com/fvWgdYNn
We would like to hear from someone at TAILS regarding the following:
1. We want to share the particulars of the NIC and sysctl hardening being
used, and what specific threats this eliminates, with an eye on this being
included in TAILS
2. We would like TAILS to consider shipping a working Cryptofree setup
along with Tor and I2P. We realize this is a trifle different for TAILS
than for the Qubes & Whonix guys, but we think a VPN first/anonymizing
network next setup has a lot of merit in some situations.
I am happy to answer questions from other Adversary Resistant Computing
efforts such as Qubes, Whonix,etc - we'd love to see Cryptostorm Zero
Customer Knowledge VPN service bundled with all of them, and we're hoping
given the recent negative attention on other providers that we can
stampede a portion of the market into not simply vowing that they don't
log, but instead using methods similar to ours, which eliminates that
possibility entirely.
