Using VPNs to protect your privacy

We’ve all seen the depths to which governments across the world will go to get their grubby little hands on your private data. Often illegally!

The Prism surveillance program, XKeyscore & the recently mooted Australia metadata retention program are all cases in point. Yep, that’s Australia’s elected Attorney General there!

If you think that the spooks and federal, state & local police aren’t trawling through your information without a warrant (Canada, Romania, France, US) then quite frankly you are a moron and you shouldn’t be allowed to use the Internet.

So what can you do to protect yourself?

Most decent routers allow you to establish Virtual Private Networks (VPNs) that encrypt your data and then send that data to somewhere else on the planet.

Without a VPN your data leaves your PC, goes through your router to your ISP and pops out in your own country and this is where your local spooks and cops are slurping up your data for analysis.

With a VPN the data that they slurp up is gibberish. It’s encrypted which makes it difficult (but not impossible mind you) for them to read.

How to setup a VPN?

This all depends on the capabilities of your router. There are 4 or so major VPN “standards” and you’ll need a router that supports one of more of them.

OpenVPN

OpenVPN is an open source project that implements a quite robust VPN protocol and it is supported by pretty much every VPN provider on the planet. Quite easy to setup and keep running. Downside is that you normally need to install a special firmware (DD-WRT or Tomato) on your router to get this capability and not all routers support this special firmware.

IPSEC

IPSEC is an Internet standard for the encryption and authentication of the data packets on the Internet. There are slightly different variants depending on whether you’re doing site-to-site VPNs or setting up a teleworker to dial into your network.

A very secure protocol but can be a hassle to setup correctly due to the number of knobs that can be tweaked. Things like NAT can cause you much grief.

L2TP/IPSEC

L2TP by itself does not give you encryption so is pretty much useless by itself for protecting your communications. But when L2TP is coupled with IPSEC you end up with a relatively good level of security for your Internet communications.

L2TP/IPSEC is a good trade off of simplicity and capability.

PPTP

PPTP is NOT considered secure anymore. Do not use unless you absolutely have to and nothing too confidential is flowing through the VPN. Probably OK for torrenting.

Are all VPN providers created equal?

In a word NO!

The technical capabilities of the VPN provider, the support experience and network speed all come into play when selecting a provider. You might also be concerned with how you can pay for your VPN – some providers allow you to pay with anonymous gift cards if you’re that paranoid.

I recently upgraded to a Draytek Vigor 2860 router. I’ve been quite impressed with it in the short time I’ve been using it. The 2860 supports dial-out VPNs, load balancing & failover VPNs, and policy based routing that allows you to select what data goes out via the VPN and what data go out direct to your ISP. You have have upto 32 VPNs configured.

During my travels I’ve seen that VPNs don’t all live up to their marketing hype. While all the providers below say on their webpage that they support “L2TP/IPSEC” your results can vary widely. For example, 2 of the providers below will quite happily establish an L2TP/IPSEC connection without the encryption turned on! Completely useless as a VPN to protect your identity and information.

VPN ProviderSupports L2TP/IPSECSupport QualityComments
WitopiaYes, with AES encryption and SHA1 AuthenticationI've only needed to use support once and it was fast and efficentDownside is that technically you're not allowed to setup Witopia VPNs on routers.
NordVPNYes, with AES encryption and SHA1 AuthenticationWorked straightaway - have had no reason to speak to support yetGreat so far - highly recommended
Private Internet AccessYes, but NO ENCRYPTIONPoor and slow. Their L1 support staff are useless. They skim through the e-mail and then cut and paste an answer that doesn't helpAvoid at all costs
Proxy.shYes, but NO ENCRYPTIONPoor and slow - a question that I placed 7 days ago still hasn't been answered or acknowledged.Avoid at all costs
KepardYes, with AES encryption and SHA1 AuthenticationWorked straightaway - have had no reason to speak to support yetGreat so far - highly recommended
vpn.acYes, with AES encryption and SHA1 AuthenticationWorked straightaway - have had no reason to speak to support yetSeems good so far

My advice

Try your chosen VPN provider before you make a long term commitment to them. Some offer a couple of days for a dollar or 2 while others will need you to commit for a month at around $10.

Try to setup the VPN on your router. I can assure you that you’ll probably have problems in the first instance so hit up support early and often to you can gauge the type of response you’ll get ongoing.

My suggestions

From my tests I’d suggest VPN.AC and Kepard. Witopia would be up there if their T&Cs allowed you to host the VPN on your router.

In no way, shape or form would I suggest anyone use Private Internet Access or Proxy.sh if they needed a L2TP/IPSEC VPN on their router – life is too short to have to deal with incompetent help desks.

NordVPN can be veeeeeeeeeeeeeeeery slow at times.

My first Myki experience — not good

Today I tried to use my myki card for the first time and I was less that thrilled with the experience. Myki, for non Victorians, is an ill conceived, incompetently designed and built, ticketing system that Victoria is trying to roll out that is currently several year overdue, hundred of millions of dollars over budget, and just doesn’t work.

Today I go to “touch on” at Melbourne Central, first machine I touched my card to did absolutely nothing, after 3 or 4 attempts I gave up on that machine and tried the one next to it. Touch, touch, touch and I was just about to give up when the barrier magically opened. Time wasted about a minute or so. The existing Metcard ticketing system takes a max of 5 seconds to validate.

I get to my destination station and try to “touch off” on the first machine, nothing at all, no errors, no acknowledgment, nothing. Try the second machine, same, so I give up.

I call Myki and tell them my issue and ask for it to be fixed. “No can do” is the answer. If you can’t touch off the system then the “help” desk apparently doesn’t see the transaction in your account until after the next time you touch on! So, since I only use public transport once a week on a Sunday, nothing can be done until then. Would I like to call back then was their answer, NO was mine. I did what I had to, and the myki system is broken, so I said to the operator that he needed to put a support ticket in for someone at Myki to call me when they can refund me my money. I bet that this complaint gets closed unresolved!

Last Sunday the same machines were causing problems as well. I watched an elderly gent fail to touch off just as I did today.

Myki is screwed and will be charging people default fares and they purposely make it hard to get them reversed, hoping people forget or can’t be bothered to follow up, so they can grab more of our money… I guess they need to pay off that $1.5bln some how!

I think I’ll stick to Metcard for a little while longer.

Using mod_security to stop Cyveillance

Let me start off by saying that I don’t condone making copyrighted material available to other users on the Internet. If you do that, you deserve all you get.

BUT there are some things that are worse than copyright infringement, and one of them is when someone attempts to break into your web server by creating random URLs in the effort to access parts of your website that you don’t publish or even trying to break into the underlying disks that hosts your website.

Cyveillance is a company that tries to exploit random URLs and possible web server misconfigurations to monitor your site.

Its all pretty dodgy and they will start spouting that they are only trying to protect their client’s intellectual property, but ironically they are breaking the law by trying to hack into your web server at the same time.

So, how can we take the initiative?

There is this really good Apache module called mod_security2, and it allows you to control who can do what against your server. Sounds pretty good, but how can we use mod_security to control Cyveillance? Well, read on.

Its very easy to configure mod_security2. We will show one configuration that works, there are probably others, but feel free to use this config or post your own below.

If I’ve missed IP addresses that these people use please also let me know.

<IfModule mod_security2.c>
SecRuleEngine On

# Cyveillance – start
SecRule REMOTE_ADDR ^63.148.99. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^65.118.41. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^38.118.25. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^38.118.42. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^216.32.64. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^38.112.21. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^207.87.178. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^65.222.185. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^65.222.176. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^63.100.163. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^151.173.221. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^68.48.24. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^4.35.201. log,redirect:http://www.google.com
SecRule REMOTE_ADDR ^38.100.41. log,redirect:http://www.google.com
# Cyveillance – stop

SecRequestBodyAccess On
SecResponseBodyAccess On

SecDebugLog /logs/security_debug_log
SecDebugLogLevel 0

SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^[45]
SecAuditLogParts ABIFHZ
SecAuditLogType serial
SecAuditLog /logs/security_audit_log

SecRequestBodyLimit 131072
SecRequestBodyInMemoryLimit 131072
SecResponseBodyLimit 524288

</IfModule>

Essentially, what this config snippet tells mod_security2 to do is that each time a request comes from a Cyveillance IP address, REMOTE_ADDR, we will just shunt them off to good old Google. Ironically, Google is probably where they got your website from in the first place.

By monitoring your /logs/security_debug_log & /logs/security_audit_log logfiles you can get information about how often they try to break into your website. It’ll be an interesting read.

This is just one use of mod_security2. If you use CMSs like Mambo or Joomla! you will most certainly see many cross site scripting exploits hitting your web server. A simple set of mod_security rules will kill off the exploits once and for all.