[liberationtech] advice on securing a new computer

Julian Oliver julian at julianoliver.com
Mon Jan 28 10:32:30 PST 2013 

..on Mon, Jan 28, 2013 at 07:54:23AM -0800, Brad Beckett wrote:
> 
> Thanks for your response. After I sent that e-mail I was telling myself
> somebody is probably going to say that. 

I know the feeling!

> Yes, I also believe OpenVPN would be better, but is more complicated to setup
> and use for an average user.
> 
> It can be scripted, but then what if it doesn't connect because it's being
> blocked and the user assumes they're protected when they're not?
> 
> The reason for suggesting PPTP is simplicity, the user stated, "I am not a
> geek". I'd rather my average users use PPTP for the sake of simplicity then
> no VPN at all, or a trojaned OpenVPN client.

I'm also not as black-and-white as some about PPTP - there might be a situation
where you only have a friend's Windows Mobile device, 5minutes and a remote
payload (web page, video) otherwise detected (eg w/DPI)  and blocked by the
local firewall. In this case, I'd rather use PPTP than no VPN at all!

However, to suggest that users should be generally encouraged to use it for
reasons of setup simplicity is not wise, I think, especially given the fact that
there are a bunch of clients these days that make setting up a L2TP or OpenVPN
connection much easier. The grandparent of this thread, I think, could probably
deal with this just fine (for instance):

    http://www.techrepublic.com/blog/mac/how-to-set-up-an-os-x-openvpn-client/783

(I don't use OS X and so can't verify if that works)

> Due to commercial VPN endpoint spying, anything that could get you thrown
> into prison in a 3rd world country (such as trying to subvert the
> current regime) should be done over TOR, not solely a VPN provider. However
> you can use the two together if TOR is being blocked in the country you've
> selected such as China by using the VPN to connect out of the country then
> into TOR.

Yes, this is a good strategy - perhaps the only at the time of writing!

If you're in a volatile situation it is just not sane to trust a commercial VPN
over a community run non-profit. Even if they don't yield to local juristiction
 - partnering in one of the many illegal surveillance projects currently in
vogue, from regimes to Western democracies - they may take on foreign
governments as clients.  It's been suggested (even here, I think) that some VPN
providers may even have been created by Governments. Perhaps not so 'tin foil
hat' as we'd like to think.

Just because you're paranoid doesn't mean it's not happening..

> I've never have, and never will trust any commercial VPN provider with my
> freedom or life and nobody should either thus why I stated always have TOR
> handy. I should have explained my reasoning better but didn't want to send
> a "wall of text".

Hehe. Understood.

Cheers,

Julian

> On Mon, Jan 28, 2013 at 3:16 AM, Julian Oliver <julian at julianoliver.com>wrote:
> 
> > ..on Sun, Jan 27, 2013 at 07:05:11PM -0800, Brad Beckett wrote:
> > > Here is a Free VPN service: http://www.vpnbook.com/
> > >
> > > I've tested their PPTP connections out and they work well, don't know if
> > > you can trust them or not though so make sure you use https on all sites
> > > you login to.
> > >
> > > Here's a video guide how to setup PPTP VPN connections in OS X:
> > > https://vimeo.com/15752843
> >
> > PPTP is OK for situations whereby you need to set up and quickly tunnel
> > out on
> > whatever platform you have at hand, assuming it isn't vital to keep what
> > you're
> > doing away from prying eyes. In every other case you are better not to use
> > PPTP
> > VPN connections as they can be 'cloud cracked' for a couple of hundred
> > bucks,
> > maybe less (assuming a local attacker can capture network packets on your
> > network).
> >
> > If you want to be absolutely sure no one on the wire can listen in, then
> > PPTP is
> > /not/ what you want. What you want is an L2TP VPN service or, better,
> > OpenVPN.
> >
> > Similarly, be careful which VPN provider you use. It's perfectly possible
> > that
> > some VPN providers operating in countries may work for those countries,
> > under
> > the juristiction they pay tax within. They may have reasons to be
> > interested in
> > what you are doing (activism, diplomatic relations, corporate and
> > governmental
> > communications, etc) and so provide access to that government if asked.
> >
> > See the section 'VPN' in the CryptoParty handbook. This is all discussed,
> > complete with installation instructions for OS X:
> >
> >     https://cryptoparty.org/wiki/CryptoPartyHandbook#Version_1.1
> >
> > Cheers,
> >
> > Julian
> >
> > >
> > > On Sun, Jan 27, 2013 at 5:09 PM, Joseph Mornin <joseph at mornin.org>
> > wrote:
> > >
> > > > Apple publishes a security configuration guide for OS X:
> > > > https://ssl.apple.com/support/**security/guides/<
> > https://ssl.apple.com/support/security/guides/>
> > > >
> > > > The NSA also publishes hardening tips: http://www.nsa.gov/ia/_files/**
> > > > factsheets/macosx_10_6_**hardeningtips.pdf<
> > http://www.nsa.gov/ia/_files/factsheets/macosx_10_6_hardeningtips.pdf>
> > > >
> > > > Cheers,
> > > > Joe
> > > >
> > > > --
> > > > Joseph Mornin
> > > > http://www.mornin.org/
> > > >
> > > >
> > > > On 1/27/13 4:52 PM, sam de silva wrote:
> > > >
> > > >> Hi there,
> > > >>
> > > >> Are there any guides that tell me how to make a new computer secure,
> > for
> > > >> both use and connecting and communicating via the net?
> > > >>
> > > >> My set up is as follows:
> > > >>
> > > >> - Macbook Pro, running Mac OS 10.6.8
> > > >>
> > > >> My requirements are as follows:
> > > >>
> > > >> - I am almost always connected to the net, and need fast access, and
> > full
> > > >> web-browsing experience
> > > >> - I'd like to block apps from sending out / receiving data from the
> > net
> > > >> - I'd like a secure cloud storage space for my own stuff and
> > occasionally
> > > >> share with others
> > > >> - My workplace is Microsoft-based we have email via IMAP. I'd like to
> > > >> have the option to send encrypted (PGP) emails to others.
> > > >> - I'd like to secure the email that's stored on my laptop. I'd like to
> > > >> use Apple Mail as my client.
> > > >> - I travel often, and I'd prefer not to have my data fall in to the
> > wrong
> > > >> hands.
> > > >>
> > > >> - I am not a geek, but can install my own applications and if guided
> > > >> properly can do terminal stuff
> > > >>
> > > >> ---
> > > >>
> > > >> Any feedback or direction appreciated.
> > > >>
> > > >> Best, Sam :-)
> > > >>
> > > >>
> > > >> ------------------------------**--
> > > >> Sam de Silva
> > > >> skype: samonthenet
> > > >> sam at media.com.au
> > > >> +61 412 238 041
> > > >>
> > > >> --
> > > >> Unsubscribe, change to digest, or change password at:
> > > >> https://mailman.stanford.edu/**mailman/listinfo/**liberationtech<
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech>
> > > >>
> > > >>  --
> > > > Unsubscribe, change to digest, or change password at:
> > > > https://mailman.stanford.edu/**mailman/listinfo/**liberationtech<
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech>
> > > >
> >
> > > --
> > > Unsubscribe, change to digest, or change password at:
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >
> >
> > --
> > Julian Oliver
> > http://julianoliver.com
> > http://criticalengineering.org
> > --
> > Unsubscribe, change to digest, or change password at:
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >

> --
> Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech


-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org

More information about the liberationtech mailing list