Why? I've personally seen more news articles about Tor users getting de-anonymized than I have VPN users. Purely anecdotal, I know, but the point being Tor is obviously not foolproof, so I am curious why recommending one over the other is apparently enough for you to call the entire article into question.
Because if I was running SIGINT at the NSA and collaborating with the FBI to arrest activists, the very first thing I would do is start up a bunch of VPN providers that bill themselves as "private" and then log everything aggressively.
The second thing I would do is have useful idiots (i.e., influencers) spread vague anecdotes about Tor users being "de-anonymized" when VPN users are never "anonymized" to begin with. I would make sure these anecdotes never clarify whether it's "Tor users accessing Hidden Services and getting popped by a Firefox exploit" or "network attack that enables traffic correlation" so everyone fills in the blanks and assumes Tor is dangerous, when it isn't, thereby pushing activists to my VPN services.
After all. There is no real enforcement mechanism if a "private" VPN lies.
You mean the Silk Road which exposed the real IP of the web server due to misconfiguration? Tor can be compromised (run a bunch of exit nodes and do traffic correlation) but Silk Road made pretty basic mistakes.
>Because if I was running SIGINT at the NSA and collaborating with the FBI to arrest activists, the very first thing I would do is start up a bunch of VPN providers that bill themselves as "private" and then log everything aggressively.
Sure. But with a limited budget (of both the financial sort and the effort sort), this just isn't feasible. Who the hell wants to manage not one but twenty seemingly private industry vpn companies? Can they even reach break even status so that it's not a drain on the budget? How long for that? Worse, it entangles their revenue with that of the NSA, making the NSA more vulnerable to the sort of leaks they don't like to have, exposing them to foreign intelligence services and even journalists.
>spread vague anecdotes about Tor users being "de-anonymized" when V
Ulbricht found out the hard way. When you've got every fiber tapped around the world, it becomes trivial to deanonymize Tor users. Granted that it's nearly impossible to climb to the top of the US government's shit list like he did, but if you do manage the feat, they'll know who you are within days.
They did, and then they used something called parallel construction (legal term) to not give away the warrantless search that entails. Wanted to avoid fruit of the poison tree, or public backlash, or maybe even both.
Once he was identified, they trolled through his internet history to find something that if they were luckier than any investigators ever they might have found without cheating. Then claimed they actually did that. It was all horseshit. None of this is controversial. Didn't even have to hack Tor, traffic analysis sufficed.
A more constructive response is to explain why it won't work, rather than telling me to explain why it won't work.
My first post in this thread has a link that explains why VPN services aren't trustworthy.
But the thing I took more issue with is that Tor is omitted entirely. Tor is at least as safe as a VPN.
Trying to attack Tor users by registering exit nodes (a Sybil attack) is way more expensive than convincing users to simply not use Tor.
The fact that more effort is spent attacking Firefox (i.e., the Tor Browser) than the network is a data point worth considering when deciding your threat model.
Meanwhile, if you want to do traffic correlation against a VPN service that you don't already own, just pwn the datacenter that the VPN company is hosted in and watch packets coming in/out of the VPN.
If you want to try to reframe the conversation to be about defending Tor, you can have that conversation without me. I'm not here to defend Tor, I'm here to advise against using VPN services especially if you have a threat model where Tor is more appropriate.
Recommending ProtonVPN over Tor to motherfucking activists is an act of malfeasance that makes me distrust anything coming from this webpage.
There is one reason- VPN traffic, vs tor traffic monitoring. Tor traffic stands out and that has been used to nab people famously, like that bomb hoax incident. Which suggests cloaking tor with a solid VPN is the way to go. Yes, bridges may be an option as well, but I don't know that their ease of use is where it should be for everyone wanting to be hidden
IIRC they used NetFlow data to find the only Tor user. So as long as your VPN doesn't use a different exit than entry IP it's as easy to find you as the Tor user.
Or you know just use both because even the most shady VPN is more trustworthy than any ISP. There of course is always the option to just use a trustworthy vpn that even implements traffic analysis protection like mullvad
> The second thing I would do is have useful idiots (i.e., influencers) spread vague anecdotes
An unfortunate factor at play in these matters (and that I note in the article) is that the intelligence services are known to run the occasional shell company [0]. It seems likely that some privacy-oriented providers are actually intelligence fronts - because if you were running an intelligence collection agency an obvious thing to try would be a privacy-focused email company or something.
If it isn't built on a trustless model it isn't trustworthy.
