http.james' Blog

My little corner of the Internet.

My quest for ultimate privacy

According to ArsTechnica, about 80% of the world uses Windows as their desktop operating system, while the other 20% consists of MacOS, ChromeOS and other Linux-based distributions. I used to be within that 80%—I used to be a long-time Windows user. I had used that clunky, bloated, unreliable and privacy-invasive operating system for the majority of my life, ever since I was a child, really. I recently moved to Ubuntu, one of the most popular Linux distributions, as my primary desktop operating system. I have never felt so free and this much peace of mind while using my computer. I switched to Linux because I wanted true privacy, stability and customizability.

True Privacy

TheHackerNews wrote an article at the time discussing the fact that Windows 10 sends your personal data 5500 times a day to Microsoft servers, even after tweaking privacy settings. Does this sound like privacy to you? It sure as hell doesn't to me. By definition, Windows 10, quite literally, is spyware. It collects basically everything it can and phones home. If a malicious app did this, we'd see media outlets calling it spyware, maybe even the federal government announcing it too—but for some reason, Windows 10 doesn't qualify.

Some people think that this isn't a bad thing because Microsoft is a big company that can be trusted in their eyes, but that's the reason why you shouldn't trust them. Microsoft is a conglomerate that dominates the PC operating system market, as mentioned previously. With all this data, what do you think they're doing with it? I know they're selling it, that's for sure. As well, Microsoft is a member of the NSA's PRISM spying program, so they're almost certainly handing over users' personal data to the surveillance agency. Oh wait, we already caught them.

There are ways to try to block Windows 10 telemetry, but there's no sure-fire way. Trying to debloat Windows 10 using the registry will definitely fuck up your system, as its telemetry is so deeply rooted in the operating system.

With Linux, there is no conglomerate. It's free, open-source software. The community actively develops it, and anybody with the necessary programming background can audit the code to find security vulnerabilities and verify its privacy. At the moment, I'm running Ubuntu 20.04 LTS, which has clearly labelled opt-in telemetry settings. It's a toggle to enable it and a toggle to disable it. Ubuntu makes it clear and concise to the user about what data they collect and why they want to collect it, and the option to disable it at any time.

Stability

I think almost everybody knows about the infamous blue screen of death by now. It's the bright, blue, anxiety-inducing screen that we see when Windows has a problem... which is extremely frequent. I cannot speak on others' Windows 10 experiences; however, I can absolutely comment on mine. My Windows 10 experience has been ridiculous. Often, my computer would freeze or blue screen, especially when running video games and virtual machines, that my computer was totally capable of running without issues.

With Linux, my computer has been running better than it did the day I bought it. It's faster and more capable than it ever could have been on Windows 10. Ubuntu is so resource-efficient, my CPU usage rarely stays above 80%, and my memory usage is significantly lower when idle.

Customizability

Windows 10 isn't very customizable compared to Linux. For the most part, you're stuck with the stock interface. The only things you can change are the wallpaper, theme color and maybe tweak the desktop look. Using Linux, you can change its look entirely. Desktop environments, like GNOME and KDE, are both modular, and users may tweak them how ever they want. Don't like the icon pack? You can change that. Want to make your OS entirely navigable using keyboard shortcuts? There's a desktop environment for that. There's a desktop environment for every type of person.

Conclusion

In my opinion, Linux is far superior to Windows 10 because I have the peace of mind knowing that no one is watching my every move, my computer will be ready for my use at any time and that I can change parts of my operating system to whatever I want, whenever I want. I highly recommend avid privacy-nerds, like me, to give a Linux distribution a try if you haven't already. If you're still on the edge, you can always dual-boot your system and have Linux along-side Windows, so you can easily switch between operating systems whenever you want. I actually started out as a dual-booter but then quickly ditched Windows and switched full-time to Linux.

Contact Me

The alternatives that keep my personal information private from prying eyes.

As you might know already by looking at my previous blog posts, I'm heavily invested in privacy and anonymity and I enjoy learning new ways to keep my personal data private.

Email

  • ProtonMail ProtonMail is a feature-rich email service with privacy as its main value.
  • Riseup Riseup is a non-profit organization with free invite-only services that aims to protect digital freedom and privacy.
  • AnonAddy AnonAddy is an extremely helpful service that keeps your main email address hidden from potential spammers and cybercriminals.

Calendar

  • Baikal Baikal is an excellent self-hosted calendar and contacts solution that just works.

Messaging

  • Session Session is a great anonymous and decentralized messenger.
  • Signal Signal is a simple messenger with privacy by default.
  • Element Element is a Discord-like messenger with end to end encryption.
  • XMPP OTR XMPP with off the record is a classic time-tested messaging protocol.

Notes

  • Joplin Joplin is a comprehensive note-taking app with optional end-to-end encrypted syncing.

Password Management

  • Bitwarden Bitwarden is an end-to-end encrypted password management solution.

Device Security

  • Glasswire Glasswire is a powerful device-wide firewall program with advanced users and alike in mind.

Cloud Storage

⚠️ Always encrypt sensitive files first before uploading them to any cloud storage provider. While they may be open-source, it is impossible to audit their authenticity completely.

  • Filen Filen is a promising end-to-end encrypted cloud storage startup with privacy at its core.
  • 🔓 Jottacloud (Not Zero-Knowledge) Jottacloud is a generous cloud storage provider that has a strong privacy policy and privacy guarantee.

VPN

This article is not sponsored by any entity.

⚠️ A VPN is not a bulletproof solution and should not be used for anonymity, but rather privacy. Read VPNs Aren't Magical—Here's Why for more details.

  • Windscribe Windscribe is a VPN with a strong privacy policy and humorous vibes.
  • IVPN IVPN is a trustworthy and very transparent VPN provider. (The CEO of Windscribe used IVPN before starting his company!)
  • Mullvad Mullvad is a trustworthy and very transparent VPN provider.

Conclusion

You've reached the end of my list—I hope you were able to discover an alternative or two along the way! If you disagree with any of my choices or just want to talk to me, feel free to send me an email.

Contact Me

Did you know that the National Security Agency (NSA) conducts invasive mass surveillance on its American citizens? If so, how do you feel about it? Do you think it's effective against national security threats, such as terrorism or cyber-crimes? Ever since the 9/11 terrorist attacks[1], the NSA has been spying on citizens around the world. They have collected billions of electronic communications, including: email, video, voice chat, videos, photos, file transfers and social networking details[2], all without explicit consent from citizens nor clear disclosure. According to PewResearch, 53% of the United States population disproves of the government's mass surveillance efforts to combat terrorism[3]. I think the NSA's illegal mass surveillance is an ineffective attempt at preventing crime because it: almost never yields positive results; infringes on citizens' privacy; and is unlawful.

These Programs Don't Yield Many Positive Results

The NSA's spying programs might sound logical to some because, theoretically, if you omnisciently knew about everything, you could prevent crime in real-time; however the NSA is not a god. A prime example of the ineffectiveness of the mass surveillance programs would be the Boston Marathon bombing in April 2013. Mass surveillance was already in effect at the time, but the attacks still occurred. The terrorists created bombs out of pressure cookers and killed three people and injured many others. While the terrorists were indeed caught, the evidences were not results of electronic surveillance[4]. Years prior to this event, the Russian government warned the American government about the terrorists. They were placed onto an NSA watchlist, but the data collected was not able to prevent the attacks. In fact, after the bombing, the NSA misidentified plenty of innocent citizens as the terror suspects. For instance, a woman was interrogated by the FBI because she was shopping for pressure cookers and backpacks online.

If that wasn't enough for you, here's another example. In 2009, a military psychiatrist killed thirteen people at Fort Hood in Texas[4][5]. The NSA actually did intercept communications suggesting a potential future terrorism attack, but they didn't pursue the man. They did not take any action against him and therefore, we lost thirteen innocent lives.

The NSA Violates Citizens' Privacy

In 2006, the Electronic Frontier Foundation (EFF) obtained evidence from an AT&T whistleblower showing that the company was cooperating with illegal surveillance[6]. This illegal surveillance collected all emails and internet traffic without people's consent. They unlawfully installed a fiberoptic splitter which was able to capture such information from their subscribers nation-wide. The NSA was able to obtain the logs from AT&T.

As a matter of fact, after the NSA spying programs were discovered, President Obama stated that it would have been better if the American citizens had never learned about the programs. The government's intent was to keep it secret and hidden from the American population.

Another way they collect huge amounts of citizens' electronic data is by directly collecting data from American service providers. As revealed by Edward Snowden, an ex-CIA employee and subcontractor, the NSA stored electronic operations and activities performed using Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube (which used to be a standalone company) and Apple's services[9]. The data was aggregated and stored in massive NSA, FBI and CIA databases that could be searched through using querying tools. The databases also stored extensive amounts of private information.

PRISM

Some people may say, “Well I have nothing to hide! Why should I care?” That's not necessarily true. You do have at least something to hide. Would you be comfortable publishing every thought, every email you received, every location you visited and every transaction you made to the internet? I'm pretty sure you wouldn't be. To those who said yes to that question, how about you shoot me an email with all your login credentials? I doubt you'd actually do so because you have something to hide. It's not a bad thing to have secrets, everyone has things they'd like to keep private, regardless of the type of person you are. You can read more about why the “Nothing to hide” argument is fundamentally flawed here.

The NSA's Mass Surveillance Is Unlawful

Seven years after Edward Snowden publicized the NSA's mass surveillance operations, an American appeals court ruled the programs unlawful and said the US intelligence leaders were not telling the truth[10]. The court described the mass surveillance as a:

warantless telephone dragnet that secretly collected millions of Americans' telephone records

It was also ruled as unconstitutional. US government officials said that terrorists convicted in 2013 were caught thanks to the NSA's telephone record spying, but the court determined that the claims were, “inconsistent with the contents of the classified record.”

Other than the court ruling, the American Civil Liberties Union (ACLU) determined that the NSA's spying violates the Constitution and Federal law.

The law on surveillance begins with the Fourth Amendment to the Constitution, which states clearly that Americans' privacy may not be invaded without a warrant based on probable cause.

They also state that the US Supreme Court made it clear that this law covers government eavesdropping.

Conclusion

In conclusion, the NSA's mass surveillance programs are not that beneficial to the American population—they are actually harmful in most situations. Not only was the NSA unable to prevent terrorism attacks, but they also violate people's privacy and the American laws as well. We need to stand up to these ineffective, privacy-invasive and illegal operations.

If you'd like to defend yourself against the NSA's spying, I strongly suggest you take a look at the EFF's Surveillance Self-Defense guide. It is a great document to get started on improving your day-to-day privacy.

Sources

  1. https://pogo.org/analysis/2019/06/the-history-and-future-of-mass-metadata-surveillance/
  2. https://www.pogo.org/analysis/2019/06/the-history-and-future-of-mass-metadata-surveillance/
  3. https://www.pewresearch.org/fact-tank/2018/06/04/how-americans-have-viewed-government-surveillance-and-privacy-since-snowden-leaks/
  4. https://www.wired.com/2017/03/mass-spying-isnt-just-intrusive-ineffective/
  5. https://www.cato.org/commentary/no-mass-surveillance-wont-stop-terrorist-attacks
  6. https://www.eff.org/nsa-spying
  7. https://www.theguardian.com/us-news/the-nsa-files
  8. https://en.wikipedia.org/wiki/Edward_Snowden
  9. https://www.aclu.org/blog/national-security/privacy-and-surveillance/nsa-continues-violate-americans-internet-privacy
  10. https://www.reuters.com/article/us-usa-nsa-spying-idUSKBN25T3CK
  11. https://ssd.eff.org/
  12. https://aclu.org
  13. https://www.aclu.org/other/nsa-spying-americans-illegal
Contact Me

Ever heard of the name, “NordVPN”? I’m sure you did because they advertise like crazy using YouTubers and real-life ads to gain exposure. They’re basically the most well-known VPN out there right now due to their huge marketing budget. What if I told you NordVPN isn’t who they claim to be?

Disclaimer: This post is not sponsored by any company or entity.

Why You Should Stay The Fuck Away

NordVPN Was Hacked

Not many people know about this, but NordVPN was compromised back in 2018. They didn’t announce this until the next year.

The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.

Nord had inadequate security measures which lead to them exposing this internal private key. The exposure of this key meant that a malicious entity could have accessed sensitive user data, such as internet traffic logs.

What's funny, however, is how NordVPN was audited before they announced the breach, yet the auditors did not find out about the data leak. Sadly, NordVPN took down the full audit PDF, which used to be available here, but a source was able to provide me the full audit. For their sake, I will not be mentioning the person who handed me the document, but I can confirm that the auditors did not find any vulnerabilities.

Moreover, adding to the dumpster fire this incident was, NordVPN didn't even encrypt the hard disks of their VPN servers. You'd think this is a basic practice that all providers should do, but for some odd reason, they didn't. Announced in this official NordVPN video, they “now encrypt the hard disk of each new server”. Ironic because they promote encryption, lol.

NordVPN Leaked Account Details

On December 4th 2019, a user submitted a bug report alerting NordVPN that user account information, including payment details, could be accessed using a simple POST request. When sending a specific request to a NordVPN endpoint, users could find another user’s email address, currency, payment URL and among other information.

NordVPN Has Ties With A Data Mining Company

In a ZDNet article, the author discusses Tom Okman, the CEO of NordSec, the parent company of NordVPN. They talk about how Okman and the company have involvements with a company called Tesonet. Tesonet is a large company that specializes in business solutions. It provides its partner companies with advisory support in different fields, including performance-based marketing, sales, technical support, recruitment, cybersecurity, machine learning, and business hosting.

Mentioned in a deleted post by Best10VPN.com accessible via the Wayback Machine, the author goes in depth about evidence suggesting NordVPN is owned by Tesonet.

For example, one of the proofs provided was that NordVPN processed payments on PayPal through their company called CloudVPN Inc. When searching up Tesonet's IP addresses online, results would come up showing that CloudVPN is affiliated with Tesonet, which you can see below.

Search Results Showing CloudVPN is Tesonet

Another point was that CloudVPN controlled NordVPN's development in 2017. On the Google Play “Additional Information” section of the Nord app for Android, CloudVPN's office was listed as Nord's official office address.

CloudVPN Office Listed On NordVPN's Site in 2017

There is some more evidence which you can go through yourself in the original article I hyperlinked above in this section.

They Conduct Price Discrimination

In the Windscribe Discord Server another user and I did some investigation on the NordVPN website. We were noticing weird behaviour where the pricing and discounts would change at random on the frontpage. Sometimes it would be 68% off while sometimes it would be less. Looking at the cookies on nordvpn.com, we uncovered that changing a cookie would also change the discount shown on the site and the checkout page. They were giving different users different prices.

User Discovering NordVPN's Changing Discount

Furthermore, a more recent discovery I made revealed that NordVPN changes plan details and pricing offers based on another cookie called the “experiment” cookie. Changing its value to a specific string will unlock “Nord Premium”. Nord Premium is a package bundle with NordVPN, NordLocker and NordPass for $90/yr. This might sound good to you, but the catch is the other subscription lengths are stripped down. The 1 year and 1 month plan lengths are called “Nord Essentials” and “Nord Standard” which are stripped down versions of regular NordVPN. For example, instead of allowing 6 connections, Essentials only allows 1 for the same price of normal NordVPN. This is basically a scam in my opinion.

Me Discovering Nord Premium

Nord Premium Pricing Page

What's really unfortunate is that people use NordVPN to avoid price discriminations like this, but in reality, they're not escaping anything.

NordVPN Shares Your Information With Facebook

In August 2020, a Reddit user by the name of GildedGrizzly posted to r/VPN/ screenshots from their Facebook “off-site activity” section. They shared screenshots showing that Facebook knew that they used NordVPN.

One of the last things I expected to see there was Nord VPN, I service I started using because I wanted to take more control of my online privacy. In the linked screenshot there are 2 different mentions of Nord VPN, but there's a third farther down the list. I downloaded my data from Facebook's data downloader, and it looks like the activity that Nord shared with Facebook was limited to me going to their website and activating apps.

It seems apparent that NordVPN shared this user's information to Facebook. Users use NordVPN to evade tracking and privacy abuses such as this one, but Nord doesn't care.

NordVPN’s Setup App Had Malware

Detected by 8 anti-malware solutions, including Microsoft Defender and ESET a few months ago in 2020, NordVPNSetup.exe contained Presenoker malware. VirusTotal highlights the detections of these 8 engines and demonstrates that the Windows installer could have had potential malware. This was an official program released by NordVPN themselves.

Here is another report on the infected NordVPN Installer.

NordVPN Opted Out of Wayback Machine Crawling

When searching “nordvpn.com” in the Wayback Machine users will see an error saying the following:

Sorry. This URL has been excluded from the Wayback Machine.

NordVPN asked Archive.org to not crawl its webpage for archival purposes. This is suspicious and could mean that they are trying to hide their past.

Conclusion

NordSec is a shady company with a lot of suspicious history. After doing thorough research about the company's past, I was shocked. A service that brands itself as the leading VPN provider was actually a fraud. To me, the above proof makes NordVPN either two things:

  1. A data-mining operation or a honeypot;
  2. Grade A clowns who have no idea what they're doing.

They're either too smart or too dumb for their own good. In any case, it is idiotic to use Nord's services if you care about privacy. I highly recommend using another provider and to do your own research about their company's background. As well, don't listen to advertisements or sponsored segments on YouTube. Don't trust, verify.

Sources

Contact Me

Believe it or not, the VPN industry is very saturated and full of lies. When was the last time you heard the terms “Military Grade Encryption,” “Anonymity,” or “Encrypted Tunnel”? These are bullshit claims to get you to buy the VPN company's products. They're misleading marketing terms targeted at those who don't know better in an attempt to scare them into purchasing their service.

Most people who purchase these subscriptions will feel like they're super secure and private, but VPNs aren't magical tools. They have their limitations, and anonymity is one of them. Before we get into debunking the VPNs lies, we need to understand how a VPN really works first. Let's take a few steps back and review the basics.

What is a VPN?

A VPN, abbreviation for Virtual Private Network, is a technology used to route your Internet traffic through another computer/server. VPNs are frequently used by businesses and corporations to allow their clients to access company resources, such as local servers. However, these were adopted as a commercial solution for security and privacy as well.

Even though VPNs are now used for personal usage, it doesn't change the fundamental functionality. The core remains the same, routing Internet traffic through another computer/server. Just usually this time, the connection between you and the VPN server is encrypted. Your traffic is decrypted on the server's side and is routed normally.

Debunking Myths and Bullshit Claims

Anonymous Mask

Claim: VPNs Anonymize You

From TorGuard VPN's homepage:

TorGuard VPN Service encrypts your internet access and provides an anonymous IP so you can browse securely.

This claim is false because VPNs do not make you anonymous alone. There are other methods of tracking you, even if you rotate your IP address using a VPN. For example, websites and analytics scripts can use browser fingerprinting to follow you across the internet, which works without cookies. This means even if you use “incognito” or “private browsing” mode with or without a VPN without hardening your browser for privacy, you will still be tracked.

Here's some more information on browser fingerprinting and how to mitigate it on Firefox

Encryption Icon by Flatpik

Claim: VPNs Encrypt Your Traffic

From ExpressVPN's homepage:

ExpressVPN hides your IP address and encrypts your network data so no one can see what you’re doing. One click, and you’re protected.

This claim is also widely used by VPN marketing, but while it's partially true, it's still misleading to the user and doesn't provide the full context of what exactly is being encrypted. Like I mentioned in the first section of this blog post, commercial VPNs usually encrypt the connection stream between you and the server only. When the server gets the encrypted traffic, they decrypt it and route it normally. Once your traffic meets the server, it is no longer encrypted.

Due to the server-side decryption, this means that the VPN provider can see all your non-HTTPS traffic and log it. I'm not saying all services are logging your traffic, but it is a possibility. They have full control over your Internet traffic and can attempt to manipulate it if they want to. Nonetheless, VPN companies would most likely not mess with your traffic because it would be mostly apparent to the end-user.

Claim: VPNs Protect Your Location Data

From IPVanish's homepage:

Secure your Wi-Fi connection and armor your location data with VPN.

This claim is partially valid but is hugely misleading. Here's why it is partially correct. Whenever you visit a website, your IP address is exposed to the server you connect to. Your IP address can be used to locate you; however, this would be a very vague estimate in most cases. The most “location data” that a person could discover with your address would be the city you live in. You can check what location data your address gives out using an IP checker tool.

The reason why this is also false is that whenever you go to a website, you don't give out your exact location. This claim is missing the context and other essential details. It is intentionally used to mislead the user.

Why You Should Use a VPN

Now that we've gone over a few myths, let's talk about what a VPN can do.

Protect Your Internet Traffic From Your ISP and Network Snoopers

Since commercial VPNs encrypt your Internet traffic up to the VPN server, this can be useful to hide your browsing habits from your Internet service provider or anybody else on the network. This could be a great tool to use on public Wi-Fi connections, such as those found in airports, restaurants and hotels, because it makes your traffic unreadable by potential snoopers.

Get Around Censorship

In countries like China and Iran, Internet censorship is prevalent, but VPNs can help people get around the blocks. Due to the partial traffic encryption, all your traffic will appear as gibberish to the Internet service provider. This should allow most people to circumvent their Internet restrictions.

Conclusion

At the end of the day, VPNs aren't magical. They don't make you anonymous by themselves, they don't fully encrypt your traffic and they don't mask your full geo-location. Most companies are full of lies and make bullshit claims in hopes of attracting frightened customers. I suggest you do your own research and find a VPN that works well for you and does not advertise these claims.

Here are some of my personal suggestions in no particular order: IVPN, Windscribe and Mullvad. I am not sponsored by these companies.

Sources

This Video Is Sponsored By ███ VPN – YouTube VPN Services – PrivacyToolsIO Misleading promises of the world's fastest, anonymous, military-grade VPNs – IVPN Blog TorGuard – Homepage ExpressVPN – Homepage IPVanish – Homepage

Contact Me