• Deloitte confirms PIA’s no-log claims, with servers running on RAM-only system for maximum privacy.
  • Independent audit verifies PIA’s infrastructure is not vulnerable to third-party exploitation, ensuring online activity remains private.
  • PIA offers full transparency with open-source apps and regular third-party audits, proving its commitment to data protection.
  • db2@lemmy.world
    link
    fedilink
    English
    arrow-up
    10
    arrow-down
    1
    ·
    7 months ago

    Which one is good against nation states? Asking for a friend.

    • Itsamelemmy@lemmy.zip
      link
      fedilink
      English
      arrow-up
      36
      arrow-down
      1
      ·
      7 months ago

      If you need to ask, you probably don’t know enough to keep yourself anonymous. But it starts with tails, tor and not doing anything stupid like reusing user names that you use on the clear web or signing into something like Facebook. If a nation state has reason to find out who you are, they most likely will. All it takes is one little mistake that you most likely didn’t even know was a mistake.

    • henfredemars@infosec.pub
      link
      fedilink
      English
      arrow-up
      21
      arrow-down
      1
      ·
      7 months ago

      Use the one they’re using: Tor.

      There’s a long list of reasons why you might not want to use it though.

      • 13262483
        link
        fedilink
        English
        arrow-up
        29
        ·
        7 months ago

        By default, Tor doesn’t protect you from nation states. It’s a start, but you have to be an intelligent user who understands statistics to have some protection from nation states.

        Let’s assume there’s two teams, because in geopolitics, it seems like we divide into “west” and “east.” Let’s assume team 1 controls 10% [1] of the relays, they have more than enough budget to pay for the entire network 100x over. That means, on entry, there’s a 10% probability that you will land on their entry node.

        Now, to do traffic analysis, they need you to also land on their exit. The probability of that is also 10% in the example. In other words, 10% of the time that you have their entry, you will also have their exit. (or, for 1 in every 100 circuits, you will have a compromised circuit) If you use Tor everyday for a year, you’ll likely have a fucked circuit at least once. If you use something like Whonix that spawns like 10-20 circuits at start, you’ll have a compromised circuit weekly.

        A compromised circuit isn’t the end of the world. Most internet traffic today uses end to end encryption, [2] so as long as the service is outside of team 1’s jurisdiction, your communications are safe… but team 1 knows who you are, and that you are talking to someone they don’t trust. If it’s in their jurisdiction, they can get a warrant, and they can fully de-anonymize the traffic between the service that you were using.

        All of this is to say, it’s hard to stay in the dark if your adversary is information intelligence. The best way to stay invisible is to use the network as infrequently as possible, and to make the time correlation very far off. (Use custom relays that delay when the traffic travels so that traffic analysis like this example is not possible)

        By the way, in the US, the NSA has multiple sites where they copy the traffic on the backbone for analysis. They’re performing some deep packet analysis. These systems are going to improve in the future with machine learning. As an example, in China, it’s not exactly simple to connect to Tor as some methods of concealing Tor traffic result in detection from machine learning that they’re performing on all traffic.

        [1] This is a hypothetical. They could control 0%, 5%, 25%, etc. It’s publicly unknown how much they control or if they try to control the network at all.

        [2] Be careful with your assumptions about https. Where are the root authorities? Why should we trust them? It’s better security to never trust them.

        • Socsa@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          They don’t actually need to control the entrance nodes if they control the ISP. You can track TCP fingerprints through Tor with just exit nodes

        • henfredemars@infosec.pub
          link
          fedilink
          English
          arrow-up
          32
          ·
          7 months ago

          Biggest problem is that it’s free. That means you’ve got very little bandwidth that’s usable since it’s being supplied out of generosity for no direct compensation that could be reinvested into the network. There’s just too many users and not enough bandwidth.

          And because it actually works, it’s very difficult or impossible to police how it’s used. That means your precious bits are just as important as the 100,000 spam emails that another user is trying to send with the service.

          Finally, you might not want to use it because you’re sharing the same exit nodes with many other users. This means services tend to block those IP addresses outright, limiting what you can use it for, and if you leak and identify such as your name maybe you don’t want that tied to an IP address that actual terrorists might have used.

          I write this as someone who owns a bunch of official Tor merchandise.

          • db2@lemmy.world
            link
            fedilink
            English
            arrow-up
            17
            ·
            7 months ago

            Spam emails are about the tamest dark part of the dark web though…

            • henfredemars@infosec.pub
              link
              fedilink
              English
              arrow-up
              11
              arrow-down
              1
              ·
              7 months ago

              I’m trying to be nice for the general public that could be reading this post. But yes, there’s a lot of bad stuff out there, and VPN service providers aren’t just getting paid to invest in tons of bandwidth, but they are also doing some policing of their service. They just don’t talk about it. It’s bad for business. And yes, you can police a service without technically logging any data.

                • henfredemars@infosec.pub
                  link
                  fedilink
                  English
                  arrow-up
                  10
                  ·
                  7 months ago

                  They sell things! I’ve bought mostly graphic clothing at funding events. You’ll find some presence at big hacker conventions. You could sometimes get a few goodies if you operate large nodes or provide significant contributions in other ways.

    • Socsa@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      4
      ·
      7 months ago

      The solar powered RPI jump box you installed on a telephone pole outside the McDonald’s.

      • db2@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        Who told you about that?

        That is… I don’t know what you mean…