Tech guys, recommend a vpn

Man I have had this conversation with my parents more times than I can count.
It took years to get them on a password manager instead of pieces of paper and iterative passwords that caused me psychic damage every time I saw it.
It's easier to sell a solution than to fix lifestyle most times.

 

Isn't this what people typically want though? They just want the information that is out there to not be traceable to them directly, right? Is there a way to keep all of your data off the 'interstate' that you're referring to, or can you only encrypt it someway so that it's not accessible to people in the way that your luggage is still on the belt, but it's locked and you hold the key.

 

"Password managers" really set off my alarm bells. If I wanted to get into the hacking industry, Id build a password manager app...

Paper and pencil works good until your ex spouse throws the paper away...

Now Im at the point where I minimize the number of things I need to keep a password for. Too many times theyve made me change passwords 3 times a yr. Im thru with it. Ill call you on the phone instead!

 

LastPass had a recent hack brought them into a bad light, and is worth paying attention to. Bitwarden hasn't been hacked and has the extra encryption layer that helps protect against hacks.

 

Not to mention the “your new password must be sixty characters long, contain uppercase and lowercase Cyrillic characters in thirty four Pantone colors, four special characters that cannot be in a sequence, repeat, or have been used in any work of Shakespeare, and at least twelve numeric characters that do not contain digits used in your address, date of birth, or be a number used in any formulas to convert metric measures to imperial”…

 

Who's letting you make easy passwords like that?

 

The IRS…

 

The bulk of what you do these days is already encrypted between your machine and the endpoint you're talking to. Look at this forum for example, it supports SSL, so as your ISP all that is seen is a connection between cust IP A and remote webserver B. They can't see what you're accessing on said webserver because the conversation is encrypted. Depending on your browser, they may not even be seeing the DNS requests to find out how to reach webserverB as many browsers are behind your back ignoring your DNS settings and redirecting them over HTTPS... Most other protocols now also support SSL or other encryption means by default between you and the endpoint. Your ISP can correlate an IP to a customer account, but once the traffic exits their network to the outside world, there isn't a quick and easy way for others to make that association, they can just note that it's from X ISP, region Y maybe.

(Angry IT eng noises... Chrome is about to be even worse, not just redirecting DNS but also transparently proxying your web browsing through third party gateways, and not making it blatantly obvious to Joe Enduser that it's doing so. Note, this happens if you're VPNing or not... I *HATE* this decision and will likely be enforcing blocking it via software and policy means at work.)

Now, where you're getting actually tracked from is within your browser, VPN or no. Between cookies and other browser identification technologies, the big advertising players (Google, Facebook, etc) can reliably tie a random browser hit to a specific identity pretty easily, no need to look at the IP or where on the internet you theoretically came from. As an ISP, we don't see that info, because again your browser traffic is already encrypted before it hits the wire. The legal system is just starting to wake up to this, multiple people in the industry have been screaming about it for years, some of the browser MFGs are starting to try and address it, though some (Google via Chrome) are more playing lipservice and coming up with bad 'fixes' that introduce other issues they can exploit and block out others... more angry IT eng noises...

If you're talking about hiding illegal activity like say piracy, I won't get into the details but I'll just say your VPN won't save you there either. At best it'll delay things for a very short window if someone takes notice and wants to pursue, and as an ISP I can tell if you're bittorrenting even with a VPN in place. The days of seven proxy hops being anything other than a meme never existed.

 

I'm a fan of Clipperz.is these days. They show their work, you can host your own instance if you want.

 

For password manager. KeePass is my choice. You pick level of encryption. You can lock it with a master pasword, or a key file, or both. I use both, and have been keeping the database part on dropbox to sync between devices, and copy the key file directly. Can't get hacked without both files and the password. Minus building a backdoor into the software. But at least nothing is 'in the cloud' like some other password managers.

I read an article where some websites were tracking people by the little 8x8 icon they load in the address bar. They keep redirecting the browser until it builds enough bits to make an ID via the pixel count and colors (I think). Don't quite remember the fine details, but it was crazy how elaborate some of these methods have gotten.

And beating someone to the punch. I'm pretty sure even using things like Tor and Onion browser isn't enough. If they really want to find you, they will. You'd be silly to think all the three letter departments aren't operating their own Tor relays to track whatever traffic they can find.

 

fascinating. Thanks for taking the time to spell that out.

 

It also matters who you are trying to keep the data from. And what data you are trying to hide - location, sites accessed, actual data transferred, etc.
Like earlier noted, if the government wants to track you, they will, no matter what or where.
Actual data transferred is mostly encrypted by HTTPS and although it is possible to capture and decode, it takes a lot of resources to do that and usually isn't worth it for common data.
Location can be tracked pretty easily in real time no matter if you have location services enabled or not. Between your debit/credit cards, phone, computer, vehicle, public and private security cameras, plate readers, facial recognition, speed and red light cameras, etc. its easy, even trivial to track nearly anyone in real time.
Its best to assume that there is ZERO privacy anymore. The good news is that most of us have no on-line session data worth the effort to capture.

The bigger threat to your data comes from foolish things people do:
re-used passwords
easy to guess passwords (123abc or abc123 are not strong passwords!)
answering those stupid memes on social media (your stripper name, etc.) [ provides answers to typical security questions]
clicking on links in texts and emails from people/businesses you don't know and trust.
responding to random idiotic emails
other social engineering to get you to cough up useful info.

That sort of stuff reveals more useful data to get into your accounts/computers than watching your web traffic.

 

I get a LOT of business loan solicitations from scamming pieces of shit who skim DOT filings.

I strip out the tracking code from the URL and go directly to the site and input a pile of fake information when I’m bored to do my small part in injecting some chaos into their datasets.

 

Sounds like the company I used to work at, passwords had to be changed every couple months too so it became standard practice of everyone to write them down in their notebook.

 

This drives me nuts, mainly 'cause the current best practice is to enforce a long password, preferably a pass phrase, enforce MFA, and do NOT require password changes except when specific events occur. Freaking cyberinsurance companies haven't caught up yet though, so screw NIST / etc, you change that password every 90 days like clockwork or no insurance.

 

Other than Chrome not being your browser of choice, what's this section supposed to mean? Can the 3rd party gateway owners "see" the traffic?

 

They'll see source and destination, I need to drill more into the specific implementation to see how much deeper they'll be able to see. I'm more annoyed with the idea that they're just going to flip this on at their whim and not make it obvious it's happening.

 

this is not the answer that you are looking for, but a "secure" VPN solution can be done, with moderate tech knowledge, here are the steps:
- get an account with a cloud provider
- setup a linux "server"
- install an open source vpn app
- secure everything (linux, server, dns, whatever the vpn app recommends (including ssl cert) and make sure that all traffic goes via the vpn)
- setup a user with a 2FA code via "the vpn app dashboard"
- setup the open vpn app on your mobile and desktop
- test

keep in mind that security starts from the device setup to how well you understand tech (especially everything related to the internet) and how up to date you are with the current tech "trends" (and the various trade offs).

 

Just use the Starbucks wifi so you don't have to worry about all that stuff.

 

hmmmm....that'll work...