POLICY SUGGESTION: E-Mail Requests From The Religious

Are you suggesting that one should not bother with a VPN then? Because my point is that it’s a very effective protection, properly used, and with the numerous caveats that I and others have delineated.

I’d go so far as to argue that absent some hypothetical future quantum computing cypher-breaker, my use of Proton VPN makes my online traffic that occurs when I have it turned on, effectively untraceable, given that such traffic is neither logged by Proton, nor could it be subpoenaed if it were. And in between me and the destination, it’s gibberish that would take impractical compute resources and time to decipher. In fact – since there’s no record of the traffic, the only PORTION of my online activity that even a currently non-existent quantum decyphering program could “out”, would be the in-flight traffic and routing that I might indulge in after such a program went online. It would be no help in ferreting out my PAST activities.

All that said: given your obvious need to be right – I’ll allow that you ARE right, in an abstract / theoretical / technical sense that does not inform whether or not one should, in fact, be using a VPN in this environment if you want it FAR less likely that the guv-mint would be able to trace your activities and harass you for Wrongthink.

Nope. And I never said that.

As with all countermeasures used for reducing risk, no VPN can, in the mathematical sense, guarantee your absolute security agains tracing online. But using a VPN protects you much better than not using a VPN. And some VPNs protect you better than others, provided you don’t fuck up with your online opsec.

Analogically, when you leave your house, you probably lock your front door. Some locks are excellent while some are trash, and are trivial to open (like a certain well-known brand illustrated in the video below). But even if all mechanical locks are, in principle, pickable (some easier than others), that does not prevent you from installing a lock on your front door and using it. Right?

Again, that’s precisely why I challenged the statement, “VPNs obfuscate one’s real IP address, rendering the traffic untraceable.”

Modern cryptoalgorithms can, in principle, be broken, even if it takes longer than the lifetime of our solar system. But that doesn’t mean that the protection it provides is useless. It will give you enough security for your secrets to be safe and secure in practice. Likewise, a good VPN implemented and used properly with good opsec will render your activity untraceable in practice. Security is a continuum. Using your real email address, your real name, your real address, and doing your online banking without encryption is at the extreme end. At the other extreme end, you have theoretically unbreakable cryptography and VPNs (which do not exist). That doesn’t mean that since there are no theoretically 100% safe VPNs, all VPNs are useless. You get adequate protection and - in practice - protection from tracing by using a VPN with adequate security.

Returning to my example with locks You CAN get locks that will resist all but the most sophisticated lockpickers. And I assume that if you had one, you would not refuse to acknowledge that it gives very good protection, even if it is not mathematically or physically perfectly secure. But even if you have a lesser lock than this that provides adequate security, you will strongly benefit from using it rather than not using it. Because they are much better than the alternative, and can give you enough protection against the intended adversaries.

So with VPNs - the best give you security that in practice will make you untraceable for relevant adversaries. If you worry about being traced online, and do not trust VPNs because of theoretically unreachable perfect security, then you’re better off not being online. And if not being online is not an option, using a good VPN is infinitely (in the colloquial sense) better than not using one. It can make you untraceable in practice. A testament to the efficiency of VPNs and onion technologies is the great difficulty law enforcement agencies have in tracing and stopping online child molesters and spreaders of child porn. Yes, they catch some (fortunately), but a lot of those cases are due to bad opsec and/or improper use of the relevant technologies, and they spend huge resources doing that.

Tl;dr: The relevant term to use is adequate security, not theoretically perfect security.

Again….not untraceable.

Apart from philosphically nitpicking I’m not quite sure what you are aiming at. And I certainly do not view it as constructive.

No, there is no such thing as theoretically perfect technology. No cryptography is perfect. No healthcare is perfect. No contraception is perfect. But that doesn’t mean they aren’t useful, and can’t do a damn good job. Good cryptography does an extremely good job of protecting the online banking we use here to such a degree that it is inconceivable that adversaries attack the crypto algorithms to empty victims’ bank account. Instead, they aim for opsec failures (phishing attacks, confidence attacks, scams, etc.), not the cryptography. Even if modern medicine is not perfect and doctors are not perfect, and they don’t have perfect knowledge of all possible conditions and diseases, I would argue that hospitals, medicines, and doctors are pretty darn useful and effective. They could of course be better, but it would be counterproductive to not recommend going to a doctor because modern medicine is not perfect. And even if condoms can and do break, it would be very unwise to NOT use them because of this; their utility far outweigh the disadvantages and dangers of possible breakage, with ensuing consequences.

So, even when we grant there is no such thing as perfect cryptography, it would be stupid to not recommend usage of https connections to your online bank, and to not recommend VPN if you want to live a more secure life online. The military use encryption to secure their data and encrypted data links to secure their comms BECAUSE their utility and de facto impenetrability makes the effort of breaking into them not worth the effort. Spies and intelligence agencies therefore don’t normally try to break the encryption, but use other methods instead, methods that give them a much higher success rate.

Just to get back to practicality, when I was researching “sensitive” subjects for a script or manual I used TOR over a logless VPN. On top of that when researching ultra sensitive stuff that was likely be monitored (“how to make a” stuff) I set up a nice little Virtual Machine running Tails, with a Czechoslovakian based VPN, and Tor on top.
Rules:
NEVER download anything
Never use your real email.
Do not use any messaging app
Do not pay for anything using your credit card
Check out any website first unless it is Onion based.

Having had a “friendly” visit from the constabulary when I was researching for a play about the IRA and assorted offshoots many years ago I can attest to the fact that certain subjects are monitored and not always in a friendly way.

Be safe wear socks and two condoms when online.

It may or may not be constructive but you are at arm’s length from me on it. We have been having a back and forth that is roughly equal in number of posts. Continued participation in the conversation has been by choice.

I’ll explain, in part, my participation in it. I have, for years, observed folks here who identify as atheist hold the feet of those identifying as theist to the fire over assertions. But too often, it seems to me, what is good for the goose is not good for the gander.

When a statement is made that is an assertion without qualification, I think it’s important that it has facts to back it up. If, for instance, a theist were to say, “belief in gods is beneficial,” it would be (and has been) immediately challenged. As it should be. That assertion may very well be true for some. However, the initial assertion did not include that qualifier. Ergo, the initial statement can be considered bupkus. Is that nit-picking? Perhaps it is.

This forum uses a medium that is single dimensional. IMO, that makes strict specificity even more critical.
So when I read a statement without qualification that I know not to be fact, I will challenge it. This entire conversation would have been avoided if the response to it had not been a challenge.

Do I think using a VPN is advisable? Of course I do. I never said otherwise. My challenge was, in effect, saying, “Beware, condoms break. You are not without risk.”

Even you have said that no VPN will make traffic untraceable. Why was your choice to proceed with instructing me on the nuances of it? Do you assume I don’t know anything about or have no experience in internet security?

Sigh…I think this conversation definitely has lived its entire life and am happy to end it. Since you can’t hear my tone or see my body language, I’ll say I’m not, and haven’t been angry throughout it. I will, however, continue to challenge any assertion made by any poster regardless of how they identify.

Well I can see that this is not a place to have a relaxed conversation or let your hair down. That is too bad IMO.

I am not some theist seeking to induct people into a cult of VPN. I used a perfectly understandable semantic shortcut. People should seriously consider using VPNs, they are a great tool in the toolbox. When challenged as to whether I literally meant what I said about VPN traffic being untraceable, I took the time and effort to qualify it quite thoroughly. Yet you are discontent with anything but a total mea culpa.

So okay, I lied. VPNs traffic is not, literally and unconditionally, untraceable. I committed the sin of talking in a particular context about a particular product that I had vetted to my personal satisfaction. And it was not enough that I clarified on cross-examination. I should have admitted right away that you were absolutely right. You were right! Absolutely correct! And I was utterly wrong, misleading, and hypocritical.

I’m sorry, and it won’t happen again.

Several years ago when I was taking a mathematics course in college, there was a supposedly very secure and practical encryption process that used large prime numbers.

A major problem with encryption is key distribution.

This encryption process solves this by taking a 40 or 50 digit prime number and multiplying it by another 40 or 50 digit prime number, and this larger number could–in principle–be printed on a business card and handed out to everyone in the world.

This huge number is used to send an ecrypted message to you, and you can decode it because you know the original two prime numbers.

If the hacker wants to decrypt the intercepted message traffic, then they have to completely factor this huge number which would take longer than several hundred trillion years or something . . . even if we used all of the world’s computers working in tandem.

This was called PGP, or Pretty Good Privacy.

I was led to believe that the American government tried to restrict this computer product because they labeled it a “munition,” so you don’t hear about it any more.

I heard about PGP from The Code Book by Simon Singh, which I used in my mathematics class.

Can PGP be used as a foundation to protect freedom of expression on the Internet?

It is another tool.

The basic problem IMO is less technical than social. PGP encryption, even when built into a product such as an email client, is Just Another Thing To Deal With. You send an encrypted email to someone and they have to have some way to decrypt it, or they need your public key, or whatever.

Just yesterday I read an article – by someone claiming to be a security expert, which they may be, but perhaps not that great of a wordsmith – stating that the Rhode Island Medicaid site was breached by “hacking its VPN”. The article itself revealed that the VPN was not hacked, it was pure social engineering; someone had gotten hold of a user’s credentials, and merely logged in. Social engineering attacks are, in practice, the primary way in which operational security is defeated … particularly if you include simple mistakes, such as the way Equifax systems were “hacked” a few years ago simply because some developer left a test site up on the public internet that required no password to gain access. I was a contractor for Equifax up until about 2 years ago, and they were so traumatized by the incident that they had gone too far the other way – you could not get a file transferred between divisions without an Act of Congress, even when the info was not sensitive.

So as usual, it is humans at the bottom of all the problems.

I have to be careful myself. To RDP into the servers I work on, requires poking a hole in the firewall for my IP address. If I’m trying to get some work done away from my office, I have to fire up a program and add the local IP to the exception list. If I then forget to remove the exception when I’m done, in theory, anyone in that doctor’s office of whatever, could access my server – although they would STILL need to know my login credentials.

But that is how breaches happen, whether you’re using a VPN, or PGP or whatever … even if it’s layered protections, at some point, a comedy of errors will occur and some bad actor will notice and exploit it.

Thank you very much for clarifying this.

I also now understand better why they have some seemingly excessive and/or nonsensical rules in place about computer usage at my new job, so thank you again.

You’re welcome.

Right before I left Equifax, they were beginning to figure out that commercial credit data is far less sensitive than consumer credit data, and got it reclassified at a different level, so that they wouldn’t be so paralyzed when dealing with that kind of data. But that took years of lobbying from a department that top management probably doesn’t understand and considers peripheral. So the moral of that story is, the further you are from the core business emphasis of a large corporation, the more you will be strangled by seemingly irrational policies that actually prevent you from meeting your objective – just because of this tendency to have blanket policies for the company as a whole.

I was there because I came along with a small startup they had devoured, and that made it even worse, because of the clash of corporate cultures and the fact that they had bought us mostly to eliminate us as a competitor [sigh]. Now I’m back in the relatively sane world of a small startup with a handful of employees, where I set my own policies and am left the hell alone to do my job correctly, lol.

Tangential diversion request at this point before resuming normal service … without giving away any perilous secrets, why is commercial credit data less sensitive? I would have thought the reverse was true, not least because companies are usually given much larger credit facilities than private individuals (though of course the rich provide obvious exceptions).

The process you describe is the essentials of the RSA cryptoalgorithm. 40 or 50 digit numbers would be much too weak today. In the context of RSA, 250 decimal-digit numbers (829 bits) have been factored in the RSA factoring challenge. For real security today, you should go to at least a 2048-bit number (i.e. the product of those two numbers should be at least 2048 bits), which corresponds to 617 decimal digits.

In practice, you would not encode the entire message using RSA as it is horribly slow if you want to use it for bigger chunks of data. Therefore, RSA is in practice instead used for protecting the encyption key. To do this, you encrypt the data using a fast, classical encryption algorithm (like AES) with a random key. This encryption key (typically 256 bits) is then encrypted using RSA, and the encrypted key is attached to the encrypted data. On the receiving side, you use RSA to decrypt the key, and then use this key to decrypt the data using your classical algorithm.

Not quite. PGP is an encryption program that supports different encryption algorithms and can utilise public key algorithms (such as RSA) for solving the key distribution problem.

Consumer credit contains social security #s and other personally identifiable info, and is subject to much stricter rules & regulations (and penalties). Commercial credit is basically a business name/address, perhaps credit terms, first/last sale date, and the aged receivables $ owed in each month. Normally, who it’s owed to is obfuscated, though it may be broken down by industry. The bottom line is how much do they owe, how long does it take them to pay, what are the trends.

The thing some people think of when they think of commercial credit is the old fashioned D&B reports that also have info about the physical facilities, the officers, years in business, maybe some analyst natterings about their business prospects – though that has fallen out of favor as not very bottom line, even at D&B. And even that info is publicly available (especially for public corporations) or can be pretty well inferred; the value of it in reports was just having it handy for quick lookup in one place.

Also in play … there are a LOT more consumers than businesses, so even though businesses tend to owe larger amounts, there are fewer of them and the total $ is actually less than you’d think. Consumer debt is about $18 trillion whereas commercial debt is a bit under $14 trillion.

I have no doubt that will happen here. I’m just not sure if it will happen before or after I’m gone.

I would turn them all down if I were you.