[liberationtech] // freevpn.me //

[Julian Oliver]

..on Wed, Jul 29, 2015 at 01:47:38PM +0000, Tempest wrote:
> Shelley:
> > The general rule of "free" services, as I'm sure most on this list know,
> > is: you are not the client, you are the product.  I don't use free VPNs
> > or free email, etc. nor do I recommend them to anyone.
> 
> the general rule should be that vpns are always a roll of the dice. paid
> or free, both have the ability to track you. those that say they don't
> or won't often do if their business model is threatened by someone
> powerful enough. thus, if privacy and/or anonymity is the goal,
> mitigating steps before and after connecting to the vpn should be taken
> (unaffiliated public access point, tor/tails/whonix, etc.).

Agreed. And in any case, there may be situations where it's more sane to use a
VPN you have no reason to trust (to tunnel you across a hostile border (or route
segment)) than using no VPN at all. 

I was once in a situation where I urgently needed SSH access to my server but
couldn't, as SSH appeared to be blocked at the firewalled. I could only assume
DPI was the culprit, as I was ssh'ing on port 443. With only a Windows laptop
(belonging to someone I didn't know well) at my disposal I did the forbidden and
used a PPTP VPN (famously breakable) through a VPN host I knew nothing about. In
this case, trust in either protocol or provider presented little risk: I SSH'd
with a jailed account (to lower threat from password capture (local keylogger or
evil endpoint)), checked I was actually on my server, su'd to another user and
all was well. 

As usual, context rules the threat model.

Cheers,

-- 
Julian Oliver
http://julianoliver.com
http://criticalengineering.org
PGP key: https://julianoliver.com/key.asc
Beware the auto-complete life.