Re: [gentoo-user] About to have fiber internet and need VPN info
On Saturday, 6 August 2022 07:07:26 BST Dale wrote: > Michael wrote: > > All connections to banks are encrypted end-to-end for decades now and the > > encryption has becoming stronger over the years. > > That is likely true. I still remember Snowden tho. We don't know what > backdoors are in use even for bank encryption. It's safer to assume state actors have full access to bank information. The hope is bad guys don't get access too! ;-) > Thing is, open source > tools are harder to fall into that trap since everyone can see what the > code is. If a backdoor is forced in, it will be known to a lot of > people and then that tool won't be used. It's sort of funny in a way, > they more Govts and others try to restrict things, the more tools there > is to get around it. From what I've read, most VPNs use open source > tools. Most even use the current best and would upgrade if needed. > That gives me some extra protection in the event my bank or any other > website falls behind on updating theirs. A VPN gives no end-to-end protection whatsoever in this scenario. All you get is protection in the network connection between your PC and the VPN server. >From the VPN server onward to your bank, the connection will be no more protected than whatever encryption protocol the bank offers. Only a VPN server offered by your bank for connections to their network would afford additional protection in this scenario. > Basically, I don't trust Govt with much of anything. If they say they > don't do something bad, you can pretty much bet they are doing exactly > that or even worse. Heh! After the Snowden revelations any such suspicions could be taken as a certainty. [snip ...] > Well, that settles that then. I guess it will be Surfshark. Pretty > sure it is in the Netherlands but may be wrong on country. I just > recall it being outside US jurisdiction. I also read they have been > audited by independent people to ensure they have no logs even if asked. Surfshark gets good reviews and it offers the wireguard protocol with the ChaCha20 cipher for better encryption and performance. However, the Netherlands is part of the EU and 14 eyes, so I would think similar state powers exist to access your private communications and the ISPs would have no way of refusing and staying in business. Surfshark offers a warrant canary, but it looks more like a marketing statement to me when you compare it to something like the Qubes digitally signed canaries. signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] About to have fiber internet and need VPN info
Michael wrote: > On Saturday, 6 August 2022 07:07:26 BST Dale wrote: > >> Well, that settles that then. I guess it will be Surfshark. Pretty >> sure it is in the Netherlands but may be wrong on country. I just >> recall it being outside US jurisdiction. I also read they have been >> audited by independent people to ensure they have no logs even if asked. > Surfshark gets good reviews and it offers the wireguard protocol with the > ChaCha20 cipher for better encryption and performance. However, the > Netherlands is part of the EU and 14 eyes, so I would think similar state > powers exist to access your private communications and the ISPs would have no > way of refusing and staying in business. Surfshark offers a warrant canary, > but it looks more like a marketing statement to me when you compare it to > something like the Qubes digitally signed canaries. I forgot about the 14 eyes thing. Do you know of one outside that that is good? The bad thing about most, they are pricey if done by the month for testing. You only get a good deal if you subscribe for a year or even two years. I don't want to subscribe and then find out it is a bad one. Dale :-) :-)
Re: [gentoo-user] About to have fiber internet and need VPN info
Dale wrote: > Michael wrote: >> On Saturday, 6 August 2022 07:07:26 BST Dale wrote: >> >>> Well, that settles that then. I guess it will be Surfshark. Pretty >>> sure it is in the Netherlands but may be wrong on country. I just >>> recall it being outside US jurisdiction. I also read they have been >>> audited by independent people to ensure they have no logs even if asked. >> Surfshark gets good reviews and it offers the wireguard protocol with the >> ChaCha20 cipher for better encryption and performance. However, the >> Netherlands is part of the EU and 14 eyes, so I would think similar state >> powers exist to access your private communications and the ISPs would have >> no >> way of refusing and staying in business. Surfshark offers a warrant canary, >> but it looks more like a marketing statement to me when you compare it to >> something like the Qubes digitally signed canaries. > > I forgot about the 14 eyes thing. Do you know of one outside that that > is good? The bad thing about most, they are pricey if done by the month > for testing. You only get a good deal if you subscribe for a year or > even two years. I don't want to subscribe and then find out it is a bad > one. > > Dale > > :-) :-) > I did a quick google search and Surfshark is based in British Virgin Islands and is outside the eyes countries. I was thinking it was Netherlands but wasn't sure. When I searched for VPN outside 14 eyes country, Surfshark is highly rated. Depending on the site, it's in the top few each time. https://earthweb.com/vpn-outside-14-eyes/ https://www.privateproxyguide.com/best-vpn-outside-14-eyes/ Unless there is some good reason to avoid, still thinking of using it. Dale :-) :-)
Re: [gentoo-user] About to have fiber internet and need VPN info
On Sat, Jul 16, 2022 at 6:57 AM Dale wrote: > > I also want to use a VPN but only for some programs. Example, I want > Ktorrent and a couple Firefox profiles to use VPNs but at least one > Firefox profile I want to remain outside of VPN. I can't keep up with which VPNs are more or less scummy at any moment in time, but I will comment on this bit and on the concept in general. Controlling which HOSTS use a VPN is pretty straightforward via the routing tables. If you have a decent DHCP server and can issue routers to individual hosts you can do it that way (most consumer routers probably won't support this with their built-in DHCP). Controlling it at the software level is a real PITA. On an OS like Windows I don't think it is even possible unless via SOCKS or whatever. On Linux you can do it with iproute2 and often netfilter is needed as well. Look up policy-based routing, and be prepared to do some studying. I'll tell you right now you probably don't want to do it this way. I think for outbound-only connections it isn't as hard to do it at a uid level, so if you run software under different uids that would make it easier. If you want to handle inbound connections on servers and have the replies not go out over the normal destination-based route then you need to mark the connections using netfilter and then set a policy routing for the replies, otherwise your reply traffic will go out over the wrong router and have the wrong IP and the other end won't associate it with the connection. I imagine you run into the same problems with any kind of use of NAT for inbound forwarded traffic in a multi-homed situation. Controlling routes by container is also a potential issue. If you're using a container technology that uses virtual interfaces that get their own IPs/routing/etc then it is easy - same as host-level routing. If you're using something like Docker/k8s where it wants all the outbound traffic to just go out from the host then it can be a pain. I think they can do macvlan but I think that has its own issues. That is actually something I'm trying to figure out for myself. Ok, topic change: the threat model. As others have pointed out, the VPN changes WHO can see your traffic, and that's mainly it. I think this is still a useful consideration, because in many places your ISP is chosen by where you live, but with a VPN provider you can choose anyone you want. The ISP has no reason to earn your trust because you're a captive audience, while a VPN provider who gets outed for leaking private info basically is out of business. So I think there is a benefit. However, you're going to be reducing your risk of being traced by private companies here, like advertisers, intellectual property enforcement companies, and so on. If you're worried about the NSA or some other state-level actor then you need to do a LOT more to evade them. I just assume the NSA has root on all my hosts already, and I wish that they'd at least offer to sell backups of my systems back to me so that I didn't need to keep my own... :) -- Rich
Re: [gentoo-user] About to have fiber internet and need VPN info
On Saturday, 6 August 2022 12:08:30 BST Dale wrote: > I did a quick google search and Surfshark is based in British Virgin > Islands and is outside the eyes countries. According to [1], the BVI is "considered partners or affiliates of the fourteen eyes alliance." 1. https://www.securitymadesimple.org/cybersecurity-blog/fourteen-eyes-surveillance-explained -- Regards, Peter.
Re: [gentoo-user] About to have fiber internet and need VPN info
On Saturday, 6 August 2022 12:08:30 BST Dale wrote: > Dale wrote: > > Michael wrote: > >> On Saturday, 6 August 2022 07:07:26 BST Dale wrote: > >>> Well, that settles that then. I guess it will be Surfshark. Pretty > >>> sure it is in the Netherlands but may be wrong on country. I just > >>> recall it being outside US jurisdiction. I also read they have been > >>> audited by independent people to ensure they have no logs even if asked. > >> > >> Surfshark gets good reviews and it offers the wireguard protocol with the > >> ChaCha20 cipher for better encryption and performance. However, the > >> Netherlands is part of the EU and 14 eyes, so I would think similar state > >> powers exist to access your private communications and the ISPs would > >> have no way of refusing and staying in business. Surfshark offers a > >> warrant canary, but it looks more like a marketing statement to me when > >> you compare it to something like the Qubes digitally signed canaries. > > > > I forgot about the 14 eyes thing. Do you know of one outside that that > > is good? The bad thing about most, they are pricey if done by the month > > for testing. You only get a good deal if you subscribe for a year or > > even two years. I don't want to subscribe and then find out it is a bad > > one. > > > > Dale > > > > :-) :-) > > I did a quick google search and Surfshark is based in British Virgin > Islands and is outside the eyes countries. I was thinking it was > Netherlands but wasn't sure. You were thinking correctly at the start. Surfshark is located in the Netherlands since 2018 and has been bought out by Nord Security, who owns NordVPN. > When I searched for VPN outside 14 eyes > country, Surfshark is highly rated. Depending on the site, it's in the > top few each time. > > https://earthweb.com/vpn-outside-14-eyes/ > > https://www.privateproxyguide.com/best-vpn-outside-14-eyes/ > > Unless there is some good reason to avoid, still thinking of using it. The more you try to escape the 14 eyes Big Brother, the closer you may fall into the hands of various authoritarian regimes. LOL! Even VPNs like NordVPN which operates within the jurisdiction of Panama (let's not forget it is Langley's doorstep), it also has offices in the UK, Netherlands and Lithuania. I wonder why . . . Total privacy on the Internet is improbable. If your only concern is to retain your privacy from your ISP with regards to your Internet connections, then most/any VPN service will offer this benefit by obfuscating your IP address. Your browsing patterns, browser User Agent, addons and umpteen other OS and application fingerprints won't be obfuscated beyond the VPN server. Therefore your identity can only be protected so much and no more. signature.asc Description: This is a digitally signed message part.
[gentoo-user] glibc and chroot
Hello list, This workstation acts as compile host for a few others, and I NFS-mount those clients in a chroot jail. Now, when glibc is updated, I'm supposed to 'telinit u'. My question is: if I do that inside the chroot jail, does it operate only in there, or does it rerun init on the host as well? I don't see anything in the host's .../ messages; does that answer my question? -- Regards, Peter.
[gentoo-user] quodlibet
No "internet radio" in quodlibet? $ quodlibet --list-browsers 0. SearchBar 1. Playlists 2. Paned 3. AlbumList 4. CoverGrid 5. AlbumCollection 6. FileSystem The package accepts only 3 USE variables (dbus, gstreamer, udev), all of which are set. What to do? This feature exists, according to https://quodlibet.readthedocs.io/en/latest/guide/browse/iradio.html The ebuild doesn't seem to contain anything that would disable it. What to do? Jorge Almeida
Re: [gentoo-user] About to have fiber internet and need VPN info
On 6/8/22 20:42, Michael wrote: On Saturday, 6 August 2022 12:08:30 BST Dale wrote: ... The more you try to escape the 14 eyes Big Brother, the closer you may fall into the hands of various authoritarian regimes. LOL! Even VPNs like NordVPN which operates within the jurisdiction of Panama (let's not forget it is Langley's doorstep), it also has offices in the UK, Netherlands and Lithuania. I wonder why . . . Total privacy on the Internet is improbable. If your only concern is to retain your privacy from your ISP with regards to your Internet connections, then most/any VPN service will offer this benefit by obfuscating your IP address. Your browsing patterns, browser User Agent, addons and umpteen other OS and application fingerprints won't be obfuscated beyond the VPN server. Therefore your identity can only be protected so much and no more. Also, leakage is almost inevitable ... DNS, content distribution networks, browser fingerprinting, timezones, paying online with a US credit card, US delivery address and just simple mis-configuration exposing you to risk etc. My impression as a long time openvpn user is that TOR and the TOR browser might be the closest to secure for your purposes? Also, keep in mind that things like online shopping will cost you more overseas because if you are successful in hiding you are in the US you will get the international surcharges, or in some cases ordering IT stuff from the US you have to fill out export clearances (once even for sparkfun hobby stuff!) :) ... then if you pay with a US card and/or have a US delivery address they have got you anyway - in fact being in Oz I gave it up as being no gain, too much pain to use a VPN try and get cheaper US shopping. I found myself having to maintain two totally independent systems with one in a locked down VPN with US settings with all traffic actively blocked from the local network, and use US shipping and packaging firms that offered facilities to buy on my behalf. That is much harder than you think - trusting the end points is only one small part of the problem you are trying to solve and from the Gov monitoring point of view almost certainly a waste of time anyway as they have massive resources. The best you can hope for with openvpn is SSL point to point level security. Just use HTTPS, a good browser and be part of the crowd - if you are trawling suspect/socially compromising websites you do not want anyone to see you going to, no matter what you do there will always be a risk and as a VPN user you are a more likely target for a closer look anyway. I am sure the bigger online VPN providers would be monitored closely - at least TOR is likely to help more than a plain VPN. BillK
