1
00:00:00,420 --> 00:00:03,210
Welcome to Part 10 of this module.

2
00:00:03,210 --> 00:00:08,430
This video is going to be covering VPN ins or virtual private networks.

3
00:00:08,460 --> 00:00:10,580
We'll talk about what a VPN is.

4
00:00:10,620 --> 00:00:17,520
Some of the pros and cons of using one as well as discussing ways of comparing VPN is to select which

5
00:00:17,520 --> 00:00:19,410
one is best for your purposes.

6
00:00:19,470 --> 00:00:26,160
In the course of this demonstration you'll see me use several such commercial offerings both free and

7
00:00:26,190 --> 00:00:27,500
not free.

8
00:00:27,510 --> 00:00:34,290
I'm not sponsored by any company nor am I advocating the use of any specific service that you may see

9
00:00:34,290 --> 00:00:34,850
here.

10
00:00:34,860 --> 00:00:41,760
The goal of this presentation is to give you the informational need to make your own selection not make

11
00:00:41,760 --> 00:00:43,180
the selection for you.

12
00:00:43,200 --> 00:00:49,290
And as promised towards the end of this entry we'll be discussing vpn use with Tor.

13
00:00:49,290 --> 00:00:56,910
That being said there are some parts of the world where the use of virtual private networks is illegal

14
00:00:56,970 --> 00:00:58,650
and can get you into hot water.

15
00:00:58,680 --> 00:01:04,770
Please always use such technology in a way that is consistent with the laws of whatever country you're

16
00:01:04,770 --> 00:01:07,080
living in at the time of this video.

17
00:01:07,080 --> 00:01:12,340
A VPN is perfectly legal in the United States and hopefully always will be.

18
00:01:12,420 --> 00:01:18,270
But since laws are ever changing please do a bit of research to make sure that they are legal for your

19
00:01:18,270 --> 00:01:20,820
area before you use one.

20
00:01:20,820 --> 00:01:24,400
So first what is a VPN.

21
00:01:24,420 --> 00:01:31,380
The simplest way of explaining is to say that a virtual private network is encryption technology that

22
00:01:31,380 --> 00:01:38,720
forms a secure connection or tunnel between your computer and the VPN server.

23
00:01:38,730 --> 00:01:45,930
In theory anyone outside this tunnel such as your Internet service provider or a hacker attempting a

24
00:01:45,930 --> 00:01:52,590
man in the middle attack at the local coffee shop will see only encrypted data going to and from the

25
00:01:52,590 --> 00:02:00,150
server a network administrator of a shared network as well as a network firewall will only see encrypted

26
00:02:00,150 --> 00:02:09,240
data VPN technology was originally developed to allow remote users and the branch offices of businesses

27
00:02:09,330 --> 00:02:14,640
to access corporate applications and resources to ensure security.

28
00:02:14,640 --> 00:02:21,540
The private network connection is established using an encryption layer Tunneling Protocol and VPN users

29
00:02:21,600 --> 00:02:30,850
use authenticated methods including passwords and certificates to gain access to the VPN in other applications.

30
00:02:30,890 --> 00:02:38,450
Internet users may secure their transactions with a VPN to circumvent geo restrictions and censorship

31
00:02:38,450 --> 00:02:45,620
of various kinds or to connect to proxy servers to protect personally identifiable information and location

32
00:02:45,620 --> 00:02:49,900
information thus allowing you to stay anonymous on the internet.

33
00:02:49,940 --> 00:02:57,950
However it has to be said that some Web sites do block access to known VPN technology to prevent the

34
00:02:57,950 --> 00:03:03,560
circumvention of their geo restrictions and many providers have been developing strategies to get around

35
00:03:03,560 --> 00:03:04,840
these roadblocks.

36
00:03:04,850 --> 00:03:12,380
A VPN is created by establishing a virtual point to point connection through the use of dedicated circuits

37
00:03:12,890 --> 00:03:19,730
or with tunneling protocols over existing networks while connecting through a properly configured VPN

38
00:03:19,730 --> 00:03:20,580
tunnel.

39
00:03:20,720 --> 00:03:27,740
All of your internet traffic will be encrypted to and from the VPN server if you set up a VPN server

40
00:03:27,740 --> 00:03:30,390
on your home computer and connect to it.

41
00:03:30,410 --> 00:03:36,890
Let's say from a faraway library network then the traffic between the computer you are using in your

42
00:03:36,890 --> 00:03:43,790
home computer is encrypted and any Web site that you work to visit will see the IP address of your home

43
00:03:43,790 --> 00:03:44,650
computer.

44
00:03:44,690 --> 00:03:52,070
On the other hand if you connect from your home computer to a VPN server in let's say Mumbai any attempt

45
00:03:52,070 --> 00:03:58,480
to trace your activity or location will lead to the server in Mumbai not your home address.

46
00:03:58,490 --> 00:04:05,210
Penetration testers often use VPN ads in order to hide what they are doing during a lawful penetration

47
00:04:05,210 --> 00:04:05,930
test.

48
00:04:05,990 --> 00:04:12,690
A VPN is often used to form a secure tunnel through an otherwise impenetrable firewall.

49
00:04:12,710 --> 00:04:19,070
It can be used to hide Internet activity from nosy system administrators as well as internet service

50
00:04:19,070 --> 00:04:25,910
providers and prevent the pen testers activities from being traced back to their source or directly

51
00:04:25,910 --> 00:04:26,750
logged.

52
00:04:26,750 --> 00:04:30,920
There are basically three types of virtual private network.

53
00:04:30,920 --> 00:04:36,250
The first type is a network that you set up yourself using free open VPN technology.

54
00:04:36,260 --> 00:04:41,580
In this instance you must have access to your own server somewhere in the world.

55
00:04:41,600 --> 00:04:47,750
This might be a virtual private server purchased through anonymous means or a physical box that you

56
00:04:47,810 --> 00:04:48,340
own.

57
00:04:48,350 --> 00:04:54,560
Somewhere out there you could of course use your own home computer and this might be desirable when

58
00:04:54,560 --> 00:04:55,480
traveling.

59
00:04:55,490 --> 00:05:02,060
Just keep in mind your Internet activity will always appear to be originating from that point and can

60
00:05:02,060 --> 00:05:04,220
be easily linked to your identity.

61
00:05:04,220 --> 00:05:08,120
The second possible implementation would be a free VPN.

62
00:05:08,240 --> 00:05:14,150
If you work for a security conscious company they are likely to provide this as a service.

63
00:05:14,150 --> 00:05:18,330
This is after all how VPN is originally started out.

64
00:05:18,380 --> 00:05:24,680
There are many so-called free VPN is being offered online and we'll look at a couple of those during

65
00:05:24,680 --> 00:05:26,120
this tutorial.

66
00:05:26,120 --> 00:05:31,150
There are some major issues with free VPN however and I'll get to those in a second.

67
00:05:31,160 --> 00:05:36,110
The third type of implementation of VPN is a commercial offering.

68
00:05:36,200 --> 00:05:43,450
In the last 10 years or so VPN providers have really taken off for as little as a few dollars a month.

69
00:05:43,460 --> 00:05:49,730
You can subscribe to one of these providers and have access to hundreds of VPN servers all around the

70
00:05:49,730 --> 00:05:50,450
world.

71
00:05:50,480 --> 00:05:53,900
All providers are obviously not created equal.

72
00:05:54,050 --> 00:05:57,950
And we'll be discussing pros and cons of commercial offerings in a moment.

73
00:05:57,950 --> 00:06:05,690
At this moment I am currently connected to a VPN a commercial offering called Tor guard to a server

74
00:06:05,720 --> 00:06:08,920
in Los Angeles California.

75
00:06:09,020 --> 00:06:16,370
If we decide to navigate over to what's my IP address we can see that any Web site I visit or service

76
00:06:16,400 --> 00:06:23,040
I connect to will see this IP address and this geo location.

77
00:06:23,210 --> 00:06:30,980
In other words if I were conducting a lawful penetration test and as part of that lawful pen test gained

78
00:06:31,010 --> 00:06:35,100
access to somewhere I normally would not supposed to be.

79
00:06:35,330 --> 00:06:40,940
Any attempt to trace my activities would lead back to this server in Los Angeles.

80
00:06:40,940 --> 00:06:48,560
My ISP would only see encrypted traffic to and from the server so there would be no way to determine

81
00:06:48,590 --> 00:06:50,210
what I was doing.

82
00:06:50,210 --> 00:06:53,090
Obviously there is a major caveat here.

83
00:06:53,180 --> 00:06:57,290
You have to trust the VPN server that you are connecting to.

84
00:06:57,320 --> 00:07:04,130
You have to trust that one they say they don't log your activities or grant third party access that

85
00:07:04,130 --> 00:07:10,220
they are actually telling you the truth and you have to trust that the company itself is not in some

86
00:07:10,220 --> 00:07:11,560
way compromised.

87
00:07:11,720 --> 00:07:18,610
For example by an intelligence agency you might therefore assume that a free VPN is the way to go over

88
00:07:18,710 --> 00:07:25,680
a commercial provider such as the one that your seeing your theoretically has an incentive to protect

89
00:07:25,680 --> 00:07:32,430
their customers whereas a free provider can do as it pleases with your data.

90
00:07:32,500 --> 00:07:38,980
It may then seem that the best solution would be to set up your own server but unless you personally

91
00:07:38,980 --> 00:07:43,440
control the server itself how can you really trust it.

92
00:07:43,570 --> 00:07:49,380
And if you own the physical server is it not linked to your identity in some way.

93
00:07:49,390 --> 00:07:55,050
I realize it may seem as if I'm sabotaging the very reason behind using a VPN.

94
00:07:55,060 --> 00:08:01,270
My goal is to alert you to the dangers of whichever choice you decide to go with a virtual private network

95
00:08:01,300 --> 00:08:07,050
is an incredibly useful tool when used properly but it's not by itself.

96
00:08:07,090 --> 00:08:08,730
Absolute anonymity.

97
00:08:08,920 --> 00:08:14,560
A VPN isn't going to help you if you're logging into your Google accounts and allowing them to essentially

98
00:08:14,560 --> 00:08:16,490
track you across the Internet.

99
00:08:16,630 --> 00:08:18,050
Just like with Tor.

100
00:08:18,130 --> 00:08:22,870
Proper operational security or OPSEC for short is crucial.

101
00:08:22,870 --> 00:08:28,630
Let's take a look at a practical example of what you might want to use a VPN for.

102
00:08:28,630 --> 00:08:37,520
First off I'm going to disconnect from the network and choose another server notice that when I do this

103
00:08:37,760 --> 00:08:41,060
my internet connection down here is going to go dead.

104
00:08:41,060 --> 00:08:49,010
Any good VPN provider whether it is one you set up yourself or a free client with that you download

105
00:08:49,460 --> 00:08:57,300
or a commercial offering is going to absolutely require a functioning internet kill switch.

106
00:08:57,530 --> 00:09:04,430
It may happen that for some reason your connection to the VPN server drops without warning and if such

107
00:09:04,430 --> 00:09:11,300
a kill switch does not exist or is not configured properly your Internet activity and real IP address

108
00:09:11,300 --> 00:09:18,430
will be unmasked every VPN client is a little different and we'll see a few more examples in a moment.

109
00:09:18,460 --> 00:09:25,600
This one in particular has a button on the front to re enable the network devices and restore Internet

110
00:09:25,600 --> 00:09:26,710
connectivity.

111
00:09:26,710 --> 00:09:28,370
So I'm going to click it now.

112
00:09:28,750 --> 00:09:34,750
We've reconnected and I'm going to go ahead and select another server from the list every provider is

113
00:09:34,750 --> 00:09:35,670
different.

114
00:09:35,860 --> 00:09:41,880
Commercial offerings will often have extensive lists of servers all over the world.

115
00:09:41,950 --> 00:09:49,330
Generally speaking with a free provider you simply get whatever is offered and the selection is usually

116
00:09:49,330 --> 00:09:51,820
quite a bit less impressive.

117
00:09:55,390 --> 00:10:02,110
So for this demonstration I'm going to go ahead and connect to Atlanta in the United States

118
00:10:05,560 --> 00:10:08,730
with this being done or IP address.

119
00:10:08,830 --> 00:10:12,160
As far as the outside world is concerned will reflect this.

120
00:10:12,160 --> 00:10:22,260
Atlanta server our geo location has changed and if we come over to what's our IP and refresh it we can

121
00:10:22,260 --> 00:10:24,510
see that our IP address has changed as well.

122
00:10:24,510 --> 00:10:34,200
So let's say that we want to download a perfectly legal iso image from a freely available Linux distribution

123
00:10:34,860 --> 00:10:37,810
for our example purposes it's going to be Calleigh.

124
00:10:37,830 --> 00:10:45,210
The best way to do this would be to use a file sharing client such as BitTorrent you torrent or any

125
00:10:45,210 --> 00:10:46,340
number of others.

126
00:10:46,500 --> 00:10:54,030
Since this method allows us to pause a download and resume it later it also allows us to draw the same

127
00:10:54,030 --> 00:11:01,020
files from multiple sources at once rather than just trusting one single source taunting is not in and

128
00:11:01,020 --> 00:11:03,590
of itself illegal in the United States.

129
00:11:03,600 --> 00:11:10,230
Contrary to what you may have heard however it is illegal to use this method to download other people's

130
00:11:10,230 --> 00:11:16,980
intellectual property such as movies television shows music books audio books or anything else that

131
00:11:16,980 --> 00:11:23,050
you don't have permission from the creators to download as this would fall under the category of piracy.

132
00:11:23,100 --> 00:11:25,580
Please obey the law at all times.

133
00:11:25,710 --> 00:11:31,770
With that being said we will be downloading Linux which is freely offered and not copy written many

134
00:11:31,770 --> 00:11:38,310
Internet service providers frown on taunting because when they see the activity they assume by default

135
00:11:38,340 --> 00:11:41,670
that such traffic is in some way illegal.

136
00:11:41,670 --> 00:11:47,580
Some will even go so far as to throttle your internet connection speed when they automatically detect

137
00:11:47,580 --> 00:11:49,320
this sort of activity.

138
00:11:49,560 --> 00:11:54,980
And of course it may also be that you just don't want there to be a record that you downloaded Cally

139
00:11:54,990 --> 00:12:02,360
Linux so we're going to go ahead and click the torrent link and this is automatically going to open

140
00:12:02,360 --> 00:12:08,380
up my rather out-of-date file sharing client.

141
00:12:08,440 --> 00:12:15,240
Here we can see that the Linux iso image is downloading because we are connected to the VPN server.

142
00:12:15,430 --> 00:12:21,030
All our internet providers CS is encrypted traffic going to and from the server.

143
00:12:21,190 --> 00:12:27,910
Anyone observing the connection tried to determine who is downloading this file would see the IP address

144
00:12:27,970 --> 00:12:30,950
of the VPN server not our own.

145
00:12:30,970 --> 00:12:37,720
Of course downloading files or performing other packet heavy activities such as online gaming while

146
00:12:37,720 --> 00:12:42,610
using a VPN may be slower than using your regular connection.

147
00:12:42,610 --> 00:12:44,590
So this is something to keep in mind.

148
00:12:44,650 --> 00:12:50,680
Speed will vary from server to from server to server configuration to configuration and provider to

149
00:12:50,680 --> 00:12:52,800
providers so so just be aware of that.

150
00:12:52,840 --> 00:13:00,910
Now the reason we absolutely must have a proper kill switch method employed is because if we were to

151
00:13:00,910 --> 00:13:07,050
disconnect for any reason noticed the download speed is decreasing.

152
00:13:07,420 --> 00:13:10,000
What's actually happening is that it's stopping immediately.

153
00:13:10,000 --> 00:13:20,180
This is just how but this particular client expresses this and if I'd let this go a bit longer the drop

154
00:13:20,180 --> 00:13:21,860
would be more apparent.

155
00:13:21,860 --> 00:13:28,910
We want to make sure that whatever we are doing immediately stops without such a kill switch or something

156
00:13:28,910 --> 00:13:30,710
of the kind being used.

157
00:13:30,710 --> 00:13:35,380
This download would just continue on without any interruption.

158
00:13:35,630 --> 00:13:41,930
A real IP would be shown in the clear and our ISP or network at ad men would be able to log what we're

159
00:13:41,930 --> 00:13:42,590
doing.

160
00:13:42,590 --> 00:13:45,870
As it stands the download stops immediately.

161
00:13:45,890 --> 00:13:54,160
So we'll go ahead and we will pause this exit out of our client re enable our internet connection and

162
00:13:54,170 --> 00:13:59,320
now we can click connect to reconnect and there we go.

163
00:13:59,370 --> 00:14:05,930
We're once again connected we could load up new torrent once again and simply click resumed download.

164
00:14:06,810 --> 00:14:17,750
So that was one example of a VPN two more popular examples of free VPN ads are going to be cyber ghost

165
00:14:17,810 --> 00:14:19,870
and Proton VPN.

166
00:14:19,880 --> 00:14:27,480
Now the reason I'm showing this next step in virtual box is to make a point about split connections.

167
00:14:27,500 --> 00:14:35,240
The first example of a freebie VPN provider that I was going to show you was called cyber ghost being

168
00:14:35,240 --> 00:14:36,000
free.

169
00:14:36,020 --> 00:14:42,450
It has far fewer server options but all that is required to sign up is a burner email.

170
00:14:42,470 --> 00:14:50,000
Unfortunately cyber ghosts authentication for the free accounts appears to be down and has been down

171
00:14:50,000 --> 00:14:52,000
for the last few hours.

172
00:14:52,010 --> 00:14:52,640
So.

173
00:14:52,670 --> 00:14:54,440
Well I guess being free.

174
00:14:54,440 --> 00:14:56,020
You get what you pay for.

175
00:14:56,030 --> 00:15:04,470
Sorry cyber ghost so instead we're gonna go ahead and we're going to look at proton VPN which is also

176
00:15:04,470 --> 00:15:11,880
free and can also be signed up for simply by signing up for the free proton mail to make this prettier

177
00:15:11,880 --> 00:15:12,390
to look at.

178
00:15:12,390 --> 00:15:18,150
I'm going to go full screen and virtual mocks proton VPN has a rather nice looking client in my opinion

179
00:15:18,750 --> 00:15:27,370
as before we select our server in whatever country we want from the list provided all you'd need to

180
00:15:27,370 --> 00:15:32,390
do to sign up is create a free account using proton mail.

181
00:15:32,440 --> 00:15:38,260
I do still have the free trial so we're seeing more servers than would normally be available with the

182
00:15:38,260 --> 00:15:39,880
free version.

183
00:15:39,880 --> 00:15:47,530
We also have the option of using what proton VPN calls secure core which creates an additional bit of

184
00:15:47,530 --> 00:15:55,840
routing through Iceland before carrying on to our chosen destination which in this case is Brazil.

185
00:15:55,840 --> 00:15:57,070
But hang on a second.

186
00:15:57,340 --> 00:16:05,890
If we minimize virtual box we can see that we're still connected to the Atlantis server through our

187
00:16:05,980 --> 00:16:07,930
other example VPN.

188
00:16:07,930 --> 00:16:15,220
This is a crucially important thing to remember since we often use virtualize systems for pen tests

189
00:16:15,280 --> 00:16:21,520
and even in day to day use virtual box uses its own Internet adapter.

190
00:16:21,700 --> 00:16:29,380
Even if you're connected to a VPN on the host operating system virtual box basically just ignores it

191
00:16:29,440 --> 00:16:31,570
and uses your real connection.

192
00:16:31,720 --> 00:16:40,030
If you want your virtual box traffic to be protected you need to use a VPN inside virtual box itself.

193
00:16:40,030 --> 00:16:48,950
The neat thing is that it is possible to use virtual box in this way to be connected to multiple VPN

194
00:16:48,950 --> 00:16:52,130
is all at once all from the same computer.

195
00:16:52,180 --> 00:16:58,610
Each one will have its own unique IP address and they don't even have to be the same VPN Provider.

196
00:16:58,630 --> 00:17:06,040
One thing to be aware of however when using a VPN and virtual box is that the Internet kill switch that

197
00:17:06,040 --> 00:17:10,810
usually comes with these clients can be extremely unreliable.

198
00:17:10,810 --> 00:17:16,120
Sometimes it just doesn't work properly in a virtualize environment.

199
00:17:16,450 --> 00:17:24,130
So make absolutely sure to test the kill switch extensively before you put any degree of trust into

200
00:17:24,130 --> 00:17:24,520
it.

201
00:17:24,530 --> 00:17:29,950
OK so I've gone back into full screen mode so we can see this spiffy looking map and how our connection

202
00:17:29,950 --> 00:17:31,600
is being routed.

203
00:17:31,820 --> 00:17:35,090
And as you can see this can get quite complicated.

204
00:17:35,150 --> 00:17:40,740
Bouncing the connection all over the map between various points.

205
00:17:40,810 --> 00:17:43,180
You can do this multiple times once again.

206
00:17:43,180 --> 00:17:46,640
I'm not advocating any particular service here.

207
00:17:46,690 --> 00:17:48,930
These are just quick examples.

208
00:17:49,030 --> 00:17:54,460
So how then do you make an intelligent decision about which VPN to choose.

209
00:17:54,460 --> 00:17:56,530
Well there are many things to weigh in.

210
00:17:56,530 --> 00:18:05,880
Consider first and foremost you want to read through a VPN providers privacy policy very very carefully

211
00:18:06,300 --> 00:18:12,070
who if anyone do they share information with what information do they share.

212
00:18:12,090 --> 00:18:15,930
If any do they keep logs of your traffic.

213
00:18:15,930 --> 00:18:19,680
Do they retain fact of connection records.

214
00:18:19,740 --> 00:18:22,380
What jurisdiction are they operating in.

215
00:18:22,530 --> 00:18:24,690
What kind of reputation do they have.

216
00:18:25,170 --> 00:18:33,390
One problem with both commercial and free VPN providers is that sometimes they flat out lie.

217
00:18:33,390 --> 00:18:39,360
There is also the fact that the world has become a very complicated and interconnected place.

218
00:18:39,360 --> 00:18:46,140
Some governments most notably the United States pretty much have the authority to go to a VPN Provider

219
00:18:46,530 --> 00:18:52,440
in their jurisdiction and prevent them with a secret letter demanding they betray their customers and

220
00:18:52,440 --> 00:18:59,520
not reveal the fact even when this is not done there are intelligence sharing treaties between nations

221
00:19:00,030 --> 00:19:03,790
that are so labyrinthine I don't even want to go into them.

222
00:19:03,840 --> 00:19:13,720
These agreements between countries tend to be referred to as the Five Eyes Nine Eyes and 14 eyes respectively.

223
00:19:13,770 --> 00:19:21,540
Think of them like planetary orbits the Five Eyes are composed of the United States the United Kingdom

224
00:19:21,630 --> 00:19:24,570
New Zealand Canada and Australia.

225
00:19:24,720 --> 00:19:27,630
They basically share everything.

226
00:19:27,630 --> 00:19:34,780
It is pretty handy for them because their own laws prohibit unlawful surveillance of their own citizens.

227
00:19:34,950 --> 00:19:42,660
But those laws do not prohibit let's say hypothetically Great Britain from scooping up American data

228
00:19:43,050 --> 00:19:50,700
analyzing it and then trading it to an American intel agency in return for an American intel agency

229
00:19:50,910 --> 00:19:57,840
scooping up British data analyzing it and trading it back to them again hypothetically this sort of

230
00:19:57,840 --> 00:20:05,130
warrantless surveillance is a massive rabbit hole and it is one that is well beyond the scope of this

231
00:20:05,130 --> 00:20:07,320
tutorial to dive into.

232
00:20:07,410 --> 00:20:13,500
But I do encourage you to research this a bit on your own to get some idea of just how these things

233
00:20:13,500 --> 00:20:15,120
actually work.

234
00:20:15,120 --> 00:20:22,410
But the basic point I'm trying to make is that in a world of secret FISA letters and global surveillance

235
00:20:22,740 --> 00:20:26,120
how can we trust any VPN Provider.

236
00:20:26,130 --> 00:20:33,210
My personal opinion is that no provider can be absolutely trusted but as has been said setting up your

237
00:20:33,210 --> 00:20:36,320
own server has its own set of complications.

238
00:20:36,570 --> 00:20:43,590
A virtual private server that you purchase from a provider is subject to the same national laws as a

239
00:20:43,590 --> 00:20:46,090
VPN provider in that country.

240
00:20:46,200 --> 00:20:49,940
If you control the physical server Well that's great.

241
00:20:49,950 --> 00:20:54,060
You can be sure it isn't storing any logs or doing anything sneaky.

242
00:20:54,240 --> 00:21:00,990
But how do you control it without linking it to your own identity in some way.

243
00:21:01,140 --> 00:21:04,980
And if it is remote do you really control it.

244
00:21:04,980 --> 00:21:07,360
So back to the original question.

245
00:21:07,620 --> 00:21:11,310
How would you make an intelligent coherent choice.

246
00:21:11,310 --> 00:21:14,670
This Web site is simply the best resource that I have yet found.

247
00:21:14,670 --> 00:21:25,680
Here we have a comprehensive chart of all the major VPN providers and if we scroll around we can see

248
00:21:25,680 --> 00:21:30,160
details about them.

249
00:21:30,170 --> 00:21:38,420
There is of course a search feature we can see such information as the jurisdiction we can see if the

250
00:21:38,420 --> 00:21:46,250
jurisdiction in question is part of the publicly known about intelligence sharing alliances whether

251
00:21:46,250 --> 00:21:51,290
or not it logs traffic logs and DNS requests.

252
00:21:51,290 --> 00:21:59,740
Fact of connection timestamps bandwidth usage connecting IP et cetera et cetera.

253
00:22:00,170 --> 00:22:05,030
It tells you whether or not it supports paying for your account anonymously.

254
00:22:05,270 --> 00:22:08,200
And this is something that I'll talk about more in a moment.

255
00:22:08,510 --> 00:22:14,960
And you can see that there are quite a few categories for it since there are quite a few methods of

256
00:22:14,960 --> 00:22:16,750
paying anonymously.

257
00:22:16,850 --> 00:22:18,250
It tells you if it's.

258
00:22:18,290 --> 00:22:24,430
It tells you if the provider offers PDP keys does it support privacy causes.

259
00:22:24,470 --> 00:22:26,230
Does it mean private.

260
00:22:26,240 --> 00:22:31,190
Does it meet privacy tool Io criteria and so on and so on.

261
00:22:31,220 --> 00:22:35,570
As we continue to scroll there are many important data points presented.

262
00:22:35,570 --> 00:22:43,310
If you are considering using any VPN provider I strongly encourage you to come to this chart or one

263
00:22:43,310 --> 00:22:45,940
like it and see how it stacks up.

264
00:22:46,010 --> 00:22:53,300
Relying only on reviews is not a good idea because many of the reviews that come up were paid for by

265
00:22:53,300 --> 00:22:55,190
the providers themselves.

266
00:22:55,190 --> 00:22:59,290
It is very important to research carefully on your own.

267
00:22:59,420 --> 00:23:02,860
What this ultimately comes down to is trust.

268
00:23:02,900 --> 00:23:07,170
Who do you trust which sources do you trust.

269
00:23:07,280 --> 00:23:11,780
A VPN provides a lot of protection and advantages.

270
00:23:11,780 --> 00:23:17,100
It can be used to connect through firewalls sometimes even on a national level.

271
00:23:17,180 --> 00:23:23,000
It can be used to get around geo location restrictions such as for example if you live in the United

272
00:23:23,000 --> 00:23:28,370
States you could unblock the BBC by connecting to a server in England.

273
00:23:28,370 --> 00:23:35,510
There are even times when you might be able to get plane tickets at a cheaper price depending on which

274
00:23:35,510 --> 00:23:39,660
part of the world you appear to be in at the time you visit the website.

275
00:23:39,680 --> 00:23:45,950
It prevents your ISP from mass scooping your data or seeing what it is that you are doing online and

276
00:23:45,950 --> 00:23:47,600
potentially disapproving.

277
00:23:47,600 --> 00:23:55,520
Your VPN provider might lie to you about keeping logs but your ISP most definitely logs everything you

278
00:23:55,520 --> 00:23:56,570
do.

279
00:23:56,570 --> 00:24:02,160
Long standing providers with good reputations are at least worth considering for this reason.

280
00:24:02,240 --> 00:24:11,390
It is possible to make a VPN simply one step in your security rather than having it be the entire picture.

281
00:24:11,390 --> 00:24:18,770
You can add proxies to the mix using in conjunction with Tor or any number of other implementations

282
00:24:18,770 --> 00:24:25,340
to make it more difficult for any one failure in the chain to lead to the exposure of your sensitive

283
00:24:25,340 --> 00:24:26,820
data.

284
00:24:26,830 --> 00:24:30,650
The other thing I want to talk about is paying anonymously.

285
00:24:30,910 --> 00:24:38,920
Several major VPN providers allow you to pay for the service in a number of ways that do not linked

286
00:24:38,920 --> 00:24:41,230
directly to your personal identity.

287
00:24:41,230 --> 00:24:48,340
The most obvious examples are Bitcoin and other forms of cryptocurrency but some even accept gift cards

288
00:24:48,340 --> 00:24:51,410
that you buy in the store with physical cash.

289
00:24:51,730 --> 00:24:57,820
Just as an example you could buy a gift card at your local Best Buy using cash.

290
00:24:57,940 --> 00:25:00,970
The card has no connection to your identity.

291
00:25:01,030 --> 00:25:04,740
You then enter the card number in at the time of payment.

292
00:25:04,750 --> 00:25:12,610
If your VPN supports it along with other bogus information that sometimes the VPN service itself provides

293
00:25:12,610 --> 00:25:16,520
you with Be sure to use a burner email and there you go.

294
00:25:16,540 --> 00:25:23,860
No VPN can ever be trusted completely and absolutely neither can tor for that matter or proxy chains

295
00:25:24,520 --> 00:25:29,050
or any other method you can think of to obfuscate your identity.

296
00:25:29,050 --> 00:25:36,520
But if you use them properly and if you take the necessary steps you can greatly improve your security

297
00:25:36,520 --> 00:25:37,510
and privacy.

298
00:25:37,510 --> 00:25:45,190
Imagine that you take a burner laptop bought with cash to a coffee shop or library use a VPN purchased

299
00:25:45,190 --> 00:25:54,430
anonymously throw in a few extra hops and or proxy chains or maybe even Tor and yeah you can feel reasonably

300
00:25:54,430 --> 00:26:01,870
confident that you are beyond tracking never completely confident but reasonably confident a good VPN

301
00:26:01,900 --> 00:26:08,590
is there for a superb tool for legal penetration testing and other activities such as legal taunting

302
00:26:08,620 --> 00:26:10,160
of legal files.

303
00:26:10,480 --> 00:26:17,050
But you absolutely must do your research make sure you can get the VPN anonymously make sure that they

304
00:26:17,050 --> 00:26:24,700
don't store information make sure that their reputation is actually good.

305
00:26:24,700 --> 00:26:29,360
Make sure you are comfortable with the jurisdiction they are operating in.

306
00:26:29,410 --> 00:26:36,730
And remember that while your ISP only sees encrypted traffic going to and from the VPN server the VPN

307
00:26:36,730 --> 00:26:40,300
provider itself can see everything that you do.

308
00:26:40,300 --> 00:26:44,020
So now we come to the six million dollar question.

309
00:26:44,020 --> 00:26:47,370
Should I use a VPN in conjunction with Tor.

310
00:26:47,680 --> 00:26:54,250
As you might expect the answer is complicated and boils down to who you trust and what you're trying

311
00:26:54,250 --> 00:26:55,500
to do online.

312
00:26:55,510 --> 00:27:03,340
There is no easy right answer when you're using Tor your Internet service provider and whoever runs

313
00:27:03,340 --> 00:27:10,270
your local network can clearly see that you're using Tor they don't know what you're doing with it but

314
00:27:10,270 --> 00:27:12,100
they know that you're using it.

315
00:27:12,580 --> 00:27:20,920
If you're running tour through a VPN then the provider and the network admin see VPN traffic the VPN

316
00:27:20,920 --> 00:27:28,210
Provider sees encrypted traffic going to the TOR entry node the provider can't see what you're sending

317
00:27:28,210 --> 00:27:34,840
to the entry point of the Tor network but it can see that you are connected to the entry point and can

318
00:27:34,840 --> 00:27:37,600
measure your exact traffic volume.

319
00:27:37,600 --> 00:27:44,350
The Tor entry node can also see your real IP address when you're not using a VPN and you connect to

320
00:27:44,350 --> 00:27:46,420
it and that can be an issue.

321
00:27:46,420 --> 00:27:54,320
If the node has been compromised so on the surface this seems like a really good idea.

322
00:27:54,360 --> 00:27:59,910
If the Tor network were compromised such as for example an entry and exit node being controlled by the

323
00:27:59,910 --> 00:28:07,740
same hostile entity wouldn't routing through a VPN be an extra layer of security.

324
00:28:07,760 --> 00:28:16,010
Well maybe but the creators of Thales contend that a VPN also represents an additional possible point

325
00:28:16,010 --> 00:28:19,140
of failure and therefore they advise against it.

326
00:28:19,160 --> 00:28:26,060
Their reasoning goes something like this whether or not tor plus a VPN is a good idea depends on your

327
00:28:26,060 --> 00:28:27,290
threat model.

328
00:28:27,290 --> 00:28:33,270
Local laws operating system setup behavior in a number of other factors.

329
00:28:33,320 --> 00:28:40,040
For example let's assume you're a journalist studying a police corruption case.

330
00:28:40,040 --> 00:28:48,080
If your country's ISP fees are protected by common carrier rules in other words the message is sent

331
00:28:48,140 --> 00:28:54,950
are legally protected in the same way that physical mail is then transmitting content via the VPN is

332
00:28:54,950 --> 00:28:56,180
risky.

333
00:28:56,180 --> 00:29:02,520
The VPN provider isn't a common carrier and therefore doesn't have the same legal protection.

334
00:29:02,600 --> 00:29:10,310
They go on to argue that if the VPN server is compromised in some way this could lead to your fact of

335
00:29:10,310 --> 00:29:16,880
connection to the TOR network being leaked although I personally fail to see how this matters since

336
00:29:16,880 --> 00:29:18,240
without a VPN.

337
00:29:18,290 --> 00:29:21,900
This information is clearly visible to your ISP anyway.

338
00:29:22,040 --> 00:29:23,960
It may be a consideration.

339
00:29:23,960 --> 00:29:30,860
Finally there is the valid point that in adding a VPN client to the Tor client you've got another piece

340
00:29:30,860 --> 00:29:36,940
of software which may contain bugs such as remote code execution.

341
00:29:36,950 --> 00:29:43,880
It is my opinion and I want to stress the word opinion that a belt and suspenders approach is a good

342
00:29:43,880 --> 00:29:44,810
idea.

343
00:29:45,020 --> 00:29:52,370
Provided that you've paid anonymously and that you trust your VPN provider is not storing your connection

344
00:29:52,370 --> 00:29:53,740
information.

345
00:29:53,930 --> 00:30:01,160
If the Tor network fails or is already compromised in some way the VPN represents an extra level of

346
00:30:01,160 --> 00:30:06,870
security as I said though there is no clear right answer.

347
00:30:06,870 --> 00:30:13,680
Security professionals of great skill and tenure have posted many arguments both for and against the

348
00:30:13,680 --> 00:30:20,490
combination of VPN and Tor and a quick search online will present you with plenty of material to chew

349
00:30:20,490 --> 00:30:20,920
on.

350
00:30:20,940 --> 00:30:29,340
If you trust your VPN more than your ISP and or network admin or if it is crucial that these groups

351
00:30:29,400 --> 00:30:35,410
not be able to see that you are using Tor then a VPN might be the way to go.

352
00:30:35,490 --> 00:30:42,810
If on the other hand you think I'm wrong or that a VPN provider might be a point of compromise particularly

353
00:30:42,810 --> 00:30:50,370
for legal reasons relating to your home country or those already detailed by all means stick to Tor

354
00:30:50,370 --> 00:30:50,970
alone.

355
00:30:51,000 --> 00:30:57,210
Your level of security concern will probably dictate these choices for most users.

356
00:30:57,210 --> 00:31:05,760
It really isn't necessary to be this paranoid but if your life depends on your security as it may in

357
00:31:05,760 --> 00:31:10,860
some parts of the world these are things to think about very very carefully.

358
00:31:10,860 --> 00:31:17,400
Always do your due diligence and make sure the solution you pick is carefully researched for both the

359
00:31:17,400 --> 00:31:20,760
pros and the cons before it close out.

360
00:31:20,760 --> 00:31:26,550
I will also add that using a VPN and Linux is really no different than Windows these days.

361
00:31:26,550 --> 00:31:34,830
Almost every VPN Provider both free and commercial offer a Linux client and as I said you can always

362
00:31:34,830 --> 00:31:39,700
download the free software and set up your own VPN server and client.

363
00:31:39,750 --> 00:31:46,860
If you're so inclined again it all comes down to what you need your security to do for you.

364
00:31:47,730 --> 00:31:48,930
Thank you for your attention.