In a world where every activity seems to be monitored by one draconian surveillance state or another, individuals should be taking their privacy very seriously if they wish to have any at all. Luckily for those who want privacy for one reason or another, we have been granted projects such as TOR and I2P, thanks to dedicated developers who are also very serious about security and privacy and maintain these free resources for our use. However, despite the fact that TOR has not been efficiently defeated to date, even TOR by itself can make us feel inadequate before the enormous power of 3 letter agencies. Large state actors who have sufficient means and resources can launch a number of unconventional attacks, such as a traffic correlation attack, and de-anonymize a darknet user without directly defeating the TOR protocol.
With this in mind, people often seek layers beyond the TOR protocol’s packet routing. Adding extra destinations between you and your exit node should, for the most part, increase the difficulty of tracking a user. Some have taken to using VPN’s before entering TOR to increase their “anonymity”. This has created somewhat of a controversy, many repeating the classic saying “VPN -> TOR = go to jail”.
First, it’s important to understand that having the VPN before TOR effectively replaces your ISP with the VPN. Your ISP see’s you enter the VPN, and the VPN see’s you go into TOR. However, neither your ISP nor VPN still have any idea what you are doing, as each connection is encrypted. An image has been created by a reddit user to demonstrate:
In this scenario, you could have more to worry about from TOR exit nodes spying on what you’re doing (if the server you are connecting to doesn’t use HTTPS), as the VPN is limited to the knowledge that you are entering TOR, but doesn’t know what you’re doing as it can’t see through your encryption. However, if your VPN is compliant with law enforcement (let’s be honest, they all are, no one is going to jail for you), little has been done to improve your original situation with your lack of trust for your ISP has simply become lack of trust for your VPN. If your TOR connection breaks, for whatever reason, and your anonymity is compromised, the VPN won’t be much better than your ISP in that regard. VPN’s protect your data with security, but provide little for privacy these days, as they all monitor everything.
The second option is TOR -> VPN. In this case your ISP still sees you enter TOR, and your VPN sees your connection come from the TOR network. This protects you from TOR exit nodes, as TOR becomes the first layer of encryption and the VPN is the second, actually delivering the data to your destination. However, then your VPN could monitor your actions (albeit this shouldn’t matter if you are truly anonymous to the VPN) and your ISP still sees you enter TOR. There are benefits to each situation, and there are downsides. Let’s expand on certain topics before going further, however.
For example, acknowledge first that your ISP (or a VPN) sees where your packets are going. In fact, it technically has to, as it routes your packets through its own servers out to their respective destinations. Inevitably, this means that your ISP can openly see that you are connected to TOR, and you, being a prudent privacy advocate, do not like them knowing when and how often you enter the TOR network, even if all your activity is technically encrypted. You can never trust a third party and you should generally believe they log under all circumstances (especially when they say they don’t). All VPN service providers are subject to the laws of their country, and most nations have some sort of Electronic Communications Act which requires companies to co-operate with law enforcement to identify their users without disclosing the fact that they are doing so, or else they may be held responsible for the actions of their users. Also, you never know what they may do with the information that you are accessing TOR. Perhaps they keep track of users entering TOR and co-operate with law enforcement to monitor their activity more closely than other users, as those using TOR are more likely to be committing some sort of cyber-crime (what idiot is going to do something dangerous without using TOR)?
The point is that there is nothing wrong with admitting that you don’t know the extent to which you are being monitored; how could you? However, use this uncertainty to benefit you by helping you prepare for every possibility, for every unknown. Use as much extra security as possible when plagued by uncertainty to prepare for every possibility.
If your VPN’s and ISP’s monitor your actions, the best bet is to use a VPN from another country that has poor relations with your home country. Russian hackers hack American companies all the time with little to no fear of repercussion. Many of them don’t even bother hiding, as their nation state Russia doesn’t care, and the United States law enforcement has no jurisdiction in Russia. This has led to events such as FBI stings set up to lure Russian hackers into America for arrest. So by using a VPN in a country like Russia, for example, you could avoid US government issues by trusting a Russian VPN. Even Russian VPN’s aren’t free from legal issues, however, and as long as potential logs exist, there is still a possibility for you to be discovered in an investigation.
If you haven’t noticed yet, you may see that there is a pattern of trust which is negatively impacting the security in our operations. What if we could have more control over our VPN instead of limiting our autonomy to third parties?
VPN Alternatives for Improved OPSEC
Why trust other VPN’s when you can get your own server with more control? Purchase a Virtual Private Server that is DMCA non-compliant off shore, preferably in Russia or another country with poor relations to your own. Though some may be expensive, they are well worth it if you are taking your operations to the next level. You can carry out your operations from this server using RDP.
Another option is basic SOCKS proxies from countries such as Russia and China. SOCKS is an advanced type of proxy which operates at a lower level on the OSI model. Instead of forwarding basic HTTP requests like regular proxies, SOCKS forwards an entire socket connection. When adding layers to your identity, bouncing your traffic through sets of proxy-chains is very useful in making investigating yourself very difficult and time consuming.
Hackers like to create botnets of slave computers to remotely control. Who’s to say you can’t use slaves in a botnet as proxies? In fact, many remote administration tools (RAT’s) offer this feature, such as the LuminosityLink RAT. This RAT lets you connect to victims either through RDP or use their IP addresses as remote SOCKS5 proxies! By using botnet victims to route your internet traffic, you can very effectively obscure your trail, leaving behind only innocent, infected computers when investigators come looking.
These are but a few methods commonly used by users who want more privacy. By creating large chains of these resources distributed around the world, a user can make finding them effectively impossible for regular law enforcement. Regular law enforcement still generally catch perpetrators based upon their errors, not the skills of investigators. Using these methods, even large agencies and governments will consider a user who takes OPSEC very seriously too expensive and difficult to trace. They will likely turn to other methods than tracking down every single hop you’ve used across the globe, such as attempting to target you with malware. However, there are many fish in the sea, and unless you are planning a sinister plot or have landed yourself on a 3 letter agencies radar, chances are you should be fine.
Mixing up chains such as “VPS -> SOCKS -> TOR -> SOCKS -> Slave” should be sufficient. Commonly changing identities, servers and mixing up your chain should make targeting you nearly impossible. Use a burner laptop and a secure OS, such as Tails or Whonix. For example, DO NOT use Windows. Besides the fact that Windows is easy to use, it takes away control from the user. Take the time to get creative and learn your technology. Set up Whonix on a practice machine and set up these technologies on Virtual Machines. Learn about things such DNS leaks and transparent DNS proxies. These extra steps may be boring, but they are phenomenally less boring than 20 years in a federal penitentiary. Learning some basic technology to avoid oppressive regimes which torture and kill dissidents is a fair price, I think.
Also realize that even if these methods were 100% secure (which they are not), all it takes is human error to destroy your anonymity. If you are being investigated, realize that everything you say will be recorded. Saying things that could be personally descriptive, even something seemingly innocuous like commenting on the weather, can be used in correlation between both your anonymous identities and your real identity. You went to the Bruins game last Saturday? Your identity has been narrowed down to a couple thousand individuals. Spread disinformation, don’t leave legitimate breadcrumbs. Change your writing style between separate identities. Use common sense. Preserve your liberty and breathe the free air of healthy paranoia.
It’s a dangerous world; stay safe out there.