Honeypot/Airvpn/Giganerd/Trolling/Sheivoko

[LoveTheStorm]

Why it's so important for Airvpn users/trolls what a person does in him private life ?
Especially if CS vpn is largely demonstrated to be the perfect VPN for privacy and security ?
WTF is happening with this fucking world?

https://airvpn.org/topic/17010-cryptostorm/

Love the CS Stuff. Period.

Free to do what I want

[Khariz]

Awesome. Since he named me in the thread (I'm a vocal supporter of CS over at AirVPN), I'm going to take his invitation, and I'm going to post all of the reasons that I think CS is the cream of crop over there.

[Khariz]

There we go. I gave a long-winded post. It's worth a read. Just follow the OP's link.

Edit: based on PJ's good point in the post below I'm echoing my response to the AirVPN thread here. A couple of words of warning when reading my response: (1) I spent an inordinate amount of time taking about Mr. Spink. That's all anyone at AirVPN ever talks about when Cryptostorm is brought up, so I needed to address that and get it out of the way. (2) I purposely oversimplified the Widget. I know how hard everyone has worked on it, but it's not worth trying to explain to people who won't understand anyway. But all in all. I think I did a good job explaining myself.


BEGIN AIRVPN RESPONSE

Okay, well I will kick it off, especially because you called me out. I make no secret of the fact the I am an avid supporter of CryptoStorm. I hold an "aleph token" with them, which makes me a lifetime member, but I also buy a new standard token every year to continue to support the entity as much as I can. I truly think that Cryptostorm is as perfect as you can get with a VPN. Before I elaborate, let's get this out of he way:

I couldn't care less what Mr. Spink does/did in his personal life. I bet half the people who use this forum have been involved in some way or another with "drugs" at some point or another in their life. Granted, I figure a much lesser percentage will have been involved with bestiality, but to each their own (and I have no proof that he has been, nor do I care). Whether or not I've let a dog lick some peanut butter off my wang, or screwed a goat, doesn't make me any less of a privacy activist or amazing VPN service organizer and staff member. If anyone here wants to automatically disregard all of the awesome points there are about CryptoStorm because ONE of the staff members might have committed bestiality, then so be it. I think the technological achievements speak for themselves though.

For those of you who don't know, CryptoStorm is designed from the ground-up for the service to not know who you are, even before and during your "subscribing" to the service. This is accomplished through their token system. You can buy a token from anyone you want. I can sell you mine, you can buy one from a token seller, or from CS itself if you don't care about that extra layer of privacy. You log in with your (hashed) token and nothing else. No e-mail, no password, nothing. All they know is when a token is set to expire. They don't know who you are and don't care. Tokens are freely transferable. If I buy 10 tokens, I can sell them to 10 different people and CS has no clue who any of those ten people are. It's brilliant.

They log nothing. They log even less than AirVPN, and they don't keep any active session data either. There's really no way to track the users at all. They null route all of the logging functions that are inherent in the system. You can read more about that here: viewtopic.php?f=47&t=6332&p=10139

Contrary to popular belief, CS is just as open source as AirVPN is. You can get the code for whatever you want on their github, and if anything is missing, just ask for it on the forum and you'll get it forthwith. They encourage the use of OpenVPN rather than their proprietary client, which the call the "widget". df will supply you the source code for the widget if you want it. It's just an OpenVPN wrapper though, so that less tech saavy users can just use it out of the box. See the github for details on how stuff works: https://github.com/cryptostorm

Another innovation of theirs that I feel the need to highlight is their DNS system, which they have dubbed "deepDNS". I personally find this to be the best DNS option out there, especially with the newest addition to the DNS, which they are calling TrackerSmacker. DNS is run on each server, just as it is here at AirVPN. Unlike AirVPN though, when you are using the CS DNS, you are able to natively resolve .onion and .i2p extentions without even being on TOR or the Invisible Internet Project. You are just happily browsing away in your browser, going to .com to .onion at will, with no need for TOR. You can, of course, use TOR over the VPN if you want, but it's just not necessary. DeepDNS has no logging of course, and as of about a week ago, it no protects you from malicious trackers and ad-based malware automatically (you can opt out and be tracked by malicious crap if you want to, due to your overly-libertarian beliefs or whatever). See here for some information on the deepDNS: https://github.com/cryptostorm/cstorm_deepDNS and see here for details on the TrackerSmacker: viewtopic.php?f=46&t=8981&p=15603

I could speak ad naseum over all the reasons that I think CS is the best VPN out there, but I'll stop here for now. Maybe I'll expound more later. There's so many awesome things to talk about, but I'm done geeking out for the present moment.

TL;DR? There's only two VPN Services that I trust with my data, and those VPN Services are AirVPN and CryptoStorm. There is no VPN service out there that is better than either one of these. CS is technically my primary VPN. I just feel ever so slighly more comfortable on their network. But I use AirVPN on a daily basis too. If you can get over the fact that some dude might like animals, you may think CS is pretty awesome too!

END AIRVPN RESPONSE

[Pattern_Juggled]

There we go. I gave a long-winded post. It's worth a read. Just follow the OP's link.

I might suggest you echo a copy into here... just in case it, you know, gets "accidentally deleted." (not saying that's inevitable, or saying Air specifically has a history of that - I'm actually just making a general observation based on a few decades' time posting stuff on the internet ).

It's always a bit strange for me to read the "honeypot" silliness, wrt cstorm. This would be the most bizarre, most unlikely, most unproductive honeypot in the history of honeypots. That doesn't stop some folks from attempts at walking us down that road, in terms of accusations... but really. It's a bit of a strange one, right? Unlikely in the extreme.

Not to mention, of course, that the team here has quite a few years of very public honeypot awareness advocacy we've done - which has brought more than a little criticism and hot air our way, to be blunt. However, it's an important topic and it's something we've been keen to discuss, explore, and study for longer than most of these "VPN services" have been taking money from "users."

There's real honeypots out there (not imaginary ones, like cstorm - because seriously). There's real "VPN service" honeypots, ffs! Some are already exposed; I'd wager very good money that most are not yet exposed (because there's little incentive to put the time and effort into exposing them - I speak from experience on this, frankly). Those unexposed ones aren't very hard to pick out, once one studies the patterns created by those which have been exposed in the past; hence our "honeypot awareness" thread, and community education efforts, dating back quite a few years.

It's a bit of a shame, because in technical terms Air isn't the worst VPN service out there - not even close. We've crossed swords with them before, here and there, over the years (those who have some miles under their wheels will likely remember such dust-ups quite well). All I'd say, speaking personally and not on behalf of the cstorm core team, on that is that... well, they sure don't have any substantive technical criticisms of cstorm to offer, do they?

Indeed, not so much.

It's a strange kind of honour to have the work one's team does quite clearly transform an industry (even a little "industry" like the VPN world) - often as not, such transformative impact isn't explicitly credited to those who make it happen; it's the nature of paradigm shifts that, ex ante, they don't seem to have had proximate causes (h/t Thomas Kuhn). That said, we on this team have watched over nearly a decade's time as our far-fetched ideas, decisions, and no-compromise willingness to set a higher expectation for what can be done in this space have gone from outsider status to de rigeur default for hundreds of me-too "VPN services" (who, not uncommonly, have simply copy-pasted chunks of our stuff, unattributed, into their own marketingspeak... which is creepy).

So, yeah. We mostly let our leadership by action speak for itself - when it matters most. And, well... in terms of priorities, we've got our focus squarely on our work on behalf of cstorm's members and the community overall. The childish, personal-attack, ED-style nonsense just isn't as exciting, to me anyhow, than back in the 1980s when I first saw trolls doing such things on pre-internet BBSes, and whatnot.

I grew up, I suppose. Unlikely as that may have seemed, a few decades past.

...not everyone has. So it goes.

Cheers.

[Khariz]

Good suggestion. I edited in my response in my above post.

[fggqq]

cs is all about member security.

character assassination speaks lowly of CS's contenders.

i wanna know giganerd's real life id. so doxx him legally for us all.

[Khariz]

The following post is an ECHO of AirVPN Staff's retort to my post:

Hello!

Off Topic

Quote
This is accomplished through their token system. You can buy a token from anyone you want. I can sell you mine, you can buy one from a token seller, or from CS itself if you don't care about that extra layer of privacy. You log in with your (hashed) token and nothing else. No e-mail, no password, nothing. All they know is when a token is set to expire. They don't know who you are and don't care. Tokens are freely transferable. If I buy 10 tokens, I can sell them to 10 different people and CS has no clue who any of those ten people are. It's brilliant.

Quote
I've read about the token system, and honestly, this is something revolutionary.

Frankly it does not seem revolutionary. It's a viable method that could and has been used since the birth of OpenVPN, with different names. How does it differ from buying and selling certificates and keys, or even coupon codes, with AirVPN or any other VPN supporting a proper OpenVPN implementation? It's not that if you find a new name for a procedure you make it "revolutionary"... and just like with CS, you can connect to any AirVPN server without logging any account in anywhere.

Off Topic

Quote
They log nothing. They log even less than AirVPN, and they don't keep any active session data either. There's really no way to track the users at all. They null route all of the logging functions that are inherent in the system. You can read more about that here: viewtopic.php?f=47&t=6332&p=10139

Well, from the link you provided, they log more than AirVPN. See here:

Off Topic

Quote
You can set the main and status logs to /dev/null to truly disable logging, but that will mean the provider won't have access to useful stats such as how many users are currently connected to an instance (and thus, to each physical server). Most of them (including us) need that information to keep track of how busy a particular server is.

Since we don't like the idea of real IPs showing up anywhere in the status logs - temporarily, permanently, or anywhere in between - but we still need in operational terms to know how many people are connected to each server, we modified the OpenVPN source so that the number of connected users can still be viewed

So: we send OpenVPN logs to /dev/null and we keep the same stats with a different method in RAM (while they keep them in HDD?), losing them when the session is over.

They modified OpenVPN source (has this source code modification been peer reviewed properly?) to NOT send OpenVPN logs to /dev/null.

Honestly, who logs more? Both approaches are interesting in our opinion, but don't say that we log more than Cryptostom.

Off Topic

Khariz, on 17 Mar 2016 - 23:11, said:
Another innovation of theirs that I feel the need to highlight is their DNS system, which they have dubbed "deepDNS". I personally find this to be the best DNS option out there, especially with the newest addition to the DNS, which they are calling TrackerSmacker. DNS is run on each server, just as it is here at AirVPN. Unlike AirVPN though, when you are using the CS DNS, you are able to natively resolve .onion and .i2p extentions without even being on TOR or the Invisible Internet Project.

Just like with tor2web service and similar services. However: is it really a good idea to access onion sites from outside Tor? Think about it, we'll do the same.

Kind regards

[LoveTheStorm]

So, yeah. We mostly let our leadership by action speak for itself - when it matters most. And, well... in terms of priorities, we've got our focus squarely on our work on behalf of cstorm's members and the community overall. The childish, personal-attack, ED-style nonsense just isn't as exciting, to me anyhow, than back in the 1980s when I first saw trolls doing such things on pre-internet BBSes, and whatnot.

I grew up, I suppose. Unlikely as that may have seemed, a few decades past.

...not everyone has. So it goes.

Cheers.

----------

Other replies from zhang troll, PJ has right:

They change servers without warning, currently most of their servers are in 5 eyes countries,
navigating on forums is impossible because of the wierd fonts and tons of markov chain
pseudo-technical talks which are either known facts or some far fetched theories.

There is no real company behind it, and that's a bad thing since it means you don't know
who you actually trust. And generally it looks like the average age of their Staff is about 18.

Anyway i want to dwell on "They change servers without warning, currently most of their servers are in 5 eyes countries," Only. And I would appreciate an answer also for possible changes in future about server etc..

I must say that this is true and i have already written here in one other topic the same doubts/dangers/concerns. Why this choices? For example 5! servers in US?
I have seen the old node list, and there were servers in russian, iceland, asia.. so really fucking good.

viewtopic.php?f=32&t=8957&p=15587#p15587

Why all this servers now in these "suspicious/snoops" countries? I mean, Netfilx is not so important for "privacy" and so on..


ALso what you think about this Air reply?

So: we send OpenVPN logs to /dev/null and we keep the same stats with a different method in RAM (while they keep them in HDD?), losing them when the session is over.

They modified OpenVPN source (has this source code modification been peer reviewed properly?) to NOT send OpenVPN logs to /dev/null.

Honestly, who logs more?

Thank you Staff

[Khariz]

Here is a response to a user that AirVPN gave when asking about logging:

Hello!

We use ram disks and we send OpenVPN logs to /dev/null

It is totally unnecessary to keep logs to show you the data you can see in your control panel while a connection to a VPN server is still active.

About the 5 GB limit to obtain a refund, that's a non-enforceable clause, that anyway you are bound (as a gentleman) to respect if you ask for a refund. We have no way to discover this, if you cheat, so in practice refunds are always guaranteed regardless of the amount of exchanged data.

On the contrary, we DO log the starting date of an account subscription. That's obviously mandatory for fiscal reasons and to determine when a subscription will end. Keeping the starting date of a subscription can not be considered a privacy breach, not even with the most fantastic arguments.

It's not unusual to see non-enforceable clauses in various contracts, including VPN services. For example, just like any other VPN service, we forbid certain usage of our services, but since we don't monitor clients traffic it is not always possible to determine the author of a violation "ex-post", and it is impossible to determine it "ex-ante".

However, it's important that we put such restrictions on the contract you accept, because a contract breach gives us the rights to perform any investigation we deem appropriate if a proper authority warns us about such violations (think about the prohibition to use our service in any way that infringes - or aid the infringement - of human rights as enshrined in the ECHR).

Additionally, and perhaps more importantly, the contract aids to preserve our rights under the EU legal framework. Mere conduit status and liability exemption for users behavior are rights of providers of services in the Information Society that are valid only if precise conditions in articles 12, 13, 14 and 15 of the 2000/31/EC Directive are met.

It is critical that we operate correctly in this legal framework if we ("we" all as persons, not only "we" as business operators in a specific field) wish to maintain viability of services that effectively enhance privacy in a world in which some sectors even of western democracies are progressively becoming hostile toward privacy, encryption and anonymity layers. Therefore, the Terms of Service of AirVPN are useful in the end not only to us, but also to all the users and customers of the service.

Kind regards
AirVPN Staff

I think those are pretty good answers

[LoveTheStorm]

First: in my previous comment "Honestly, who logs more?" is part of that my last quote about Air reply obviously, my wrong eh eh !

Here is a response to a user that AirVPN gave when asking about logging:

Hello!

We use ram disks and we send OpenVPN logs to /dev/null

It is totally unnecessary to keep logs to show you the data you can see in your control panel while a connection to a VPN server is still active.

-------

Kind regards
AirVPN Staff

I think those are pretty good answers

I don't see any real differences in both approachs. Both use ram at the moment only, so there is not real log for what i can understand.

[Pattern_Juggled]

We use ram disks...

I'm at a loss as to the relevance of "ram {sic} disks" regarding logging policies. RAM "disk" is just another kind of physical storage media; in many respects, it's not dissimilar from SSD "hard disks"... though of course a RAM disk is instantiated in "real" Random Access Memory (thus: RAM), and SSD hardware is based on a different physics... with the latter remaining "stateful" upon power-off and the former (more or less, but not immediately and in some cases not irreversibly) being erased to blank state without power.

Which is to say, the difference relates to what happens when a machine is hard power-cycled fully and for a nontrivially short period of time. Since any reasonably well-run "VPN service server" (we call them nodes, which has now been copied by lots of copycat services, tbh) will not be powered-down regularly - if at all - in the course of months or years of production usage, the distinction as to how data are handled during powerdown is... of very little functional relevance in the context of logging.

Plus, of course, it's both possible and fairly common to have RAM disk configurations write-out snapshots of their contents to a "real" hard drive so that - you guessed it - if the machine powers down unexpectedly, those data are not lost once a successful reboot takes place. So, simply assuming that "RAM disk" means "logs magically vanish" is sort of, well, silly.

(yes, one can build a machine with only RAM disk - though it'll have to boot up from some other physical media to get its kernel and packages loaded up... obviously - or with RAM disk that does not flush/mirror to physical disk and thus is potentially able not to retain copies of data stored within its arrays after a hard reboot. But neither are, afaik, default configurations in any mainstream linus distro - or unix distro, or Solaris, or NextOS, or whatever. )

and we send OpenVPN logs to /dev/null/

That kind of sounds clever - just pipe logs to /dev/null and done... but it's deeply flawed. The process of piping the logs does, in fact, pass the logs - which exist, and are real - through the kernel and over to that nonexistent place of storage we all know and love so well. If something goes wrong along the way, or if the kernel does clever stuff to make sure that in the case crashes happen, data aren't gone forever (which most computational platforms consider to be a really, really bad thing and thus work hard behind the scenes to avoid... doing alot more work on that task than most folks sitting at the terminal every realise), those "dev-null'd" logs suddenly exist and are easily accessible.

Derp.

Since that's A Problem, and Problems are best avoided rather than being apologised for down the road (the "oops gee really sorry" approach, one might call it), we modded the source code of the OpenVPN application itself, to entirely eliminate the process of retaining any logs in the first place.

Now, it's not like that modification is tens of thousands of lines of amazingly clever, achingly beautiful software poetry; it's a fairly small tweak, though to be fair it took some testing and fine-tuning to make sure that, in production, it doesn't break other stuff that really has to work for the network to function effectively. Even so (and it's a published edit, so anyone can apply the diff to their own ovpn src before they compile runtimes - no secrets here, no wheels needing to be reinvented), it's a nicely-done bit of coding, if I may humbly say so, and in doing so credit the inestimable df who... pretty much did all the actualiy "making software that actually works when compiled and executed" as opposed to me who merely writes about such endeavors after the fact.

Irrespective, eliminating the actual code - source, and concomitant binary snippets at runtime - is a vastly more elegant, and vastly less fail-prone, way to do away with unwanted logs than is the approach of just letting openvpn make the logs, letting it pass them to the kernel, and then letting the kernel and all it's various brilliant bits and subsystems, in turn, pass it to the file manager which then passes it to a directory that doesn't actually exist... which then makes the file actually not-exist, by whatever means that happens in the tiny little pocket universe that is /dev/null in linuxville (sorry, too lazy to look up the wikipedia link on that - and not quite dishonest enough to pretend I don't need to ).

Anyhow, that's how we did it. We are pretty confident that our approach doesn't suck. Which makes us feel pretty good, right? Right.

It is totally unnecessary to keep logs to show you the data you can see in your control panel while a connection to a VPN server is still active.

As I've no idea what kind of data their "control panel" shows during an active session, I don't know if this statement, prima faciae makes logical sense, or not. It might come down to ontology/semantics... in that the data in the control panel itself form, themselves, a kind of "log"... but that's purely speculative.

We don't have a control panel with spinny dials and gizmos and blinking text and such... when the cstorm widget connects, it's connected. It, speaking precisely, removes itself from the Windows UI entirely - going back to lurk in the taskbar. As there's no actual benefit from all of that blinking-spinning eye-candy distraction-ware, we simply decided to do away with it. All of it.

That probably says alot about not only our design philosophy - don't clutter stuff up just because "everyone else does it," or because it makes a piece of user-facing software look "cool" or "fancy" - it also says quite a bit about where we prioritise our efforts: the widget is a way to get connected to the cryptostorm network, and not the reverse. The best thing it can do is do its job - connect, and stay connected - at which point it's irrelevant to the real work of securing traffic transiting the network bidirectionally.

Anyhow that's how we see things.

It's easy to write about "no logging" - it's not so easy to actually do it, and do it in an demonstrably effective way. That's what we've learned, since our team first introduced a "no logging" policy... back in 2009, which at the time caused us to be excoriated as "irresponsible" and "illegal" because we weren't retaining usage logs.

Oh the times, how they are a-changing...

[Khariz]

Here is the newest anti-Cryptostorm rant over at AirVPN:

Looks like they actively started to conduct Man-In-the-Middle attacks on their users, and this already created quite a storm on Twitter, although not exactly a crypto one.

https://twitter.com/ba_lock_ae/status/7 ... 6777312256

I guess this can conclude that the whole buzzword fluff on their barely readable forums, which you can use only with disabled 3d party fonts, is a useless random ranting and controversy.

Using Snort in preventive mode on a public VPN service nodes is just blatant disrespect towards users.