Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Qestions Qestions Qestions

Looking for assistance with a cryptostorm connection issue? Post here & we'll help out. Also: if you're not sure where to post, do so here & we'll move things around as needed. Also: for quickest support, email our oddly calm & easygoing support reps at [email protected] :)

Topic Author
rambl3r

Qestions Qestions Qestions

Postby rambl3r » Tue Dec 30, 2014 12:51 pm

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?

3. What tools are used to monitor and mitigate abuse of your service?

4. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

5. What steps are taken when a valid court order requires your company to identify an active user of your service?

User avatar

parityboy
ForumHelper
Posts: 905
Joined: Wed Feb 05, 2014 3:47 am

Re: Qestions Qestions Qestions

Postby parityboy » Tue Dec 30, 2014 5:15 pm

@OP

This is totally unofficial (I'm not staff) but I'll try to get the ball rolling.

1) As far as I am aware (from talking with staff in IRC) CS has patched OpenVPN such that it does not log the IP address of connected members - I've actually seen the patches myself.

3) Again from talking with staff in IRC, they use the usual intrusion detection tools (Snort, I think) along with some custom stuff to detect incoming attacks.

5) A court order would be useless because there is quite literally no information to share. Additionally, the network itself is hardened against NSA-style rollback attacks. Not sure about traffic correlation attacks though, staff will be able to clarify that part.

User avatar

cryptostorm_support
ForumHelper
Posts: 296
Joined: Sat Jan 26, 2013 4:31 am
Contact:

Re: Qestions Qestions Qestions

Postby cryptostorm_support » Fri Jan 02, 2015 4:35 am

For number 1, we do not keep ANY logs dealing with the VPN service, and it's been a substantial effort to make sure this is actually so, and it extends beyond the logs that would be generated by OpenVPN. Making sure you've disabled all log generation is difficult but absolutely vital, and any service that would have you to believe this task is easy is either lying, not doing so themselves, or both.

4. We get DMCA requests constantly, and our response is typically to request proof that isn't bot-generated and to inform them that we do not keep any logs, and have nothing that would help them track down anyone so they're wasting their time

5. We have no logs to give, but we have the seppuku pledge where we vow to pull the plug and kill our whole network if we're ever forced to spy on a user and give up their personal info.

As for questions 2 and 3, I will defer to others better able to articulate a response, and I will see if I can prod them into replying to those questions
cryptostorm_support shared support team forum account
PLEASE DON'T SEND PRIVATE MESSAGES with support questions!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-2cTMH8K5JnjbfSALjZtSkRWCLfc3Tr8GBV
support team email: [email protected]
live chat support: #cryptostorm

User avatar

Pattern_Juggled
Posts: 1493
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: Qestions Qestions Qestions

Postby Pattern_Juggled » Thu Jan 22, 2015 8:36 pm

I've been tasked with replying to this post, and I apologise for being terribly slow in doing so.

This is next up in my task queue, so it should be done shortly. Thanks, parityboy, for the interim reply!

Cheers,

~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
[email protected]ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

marzametal
Posts: 487
Joined: Mon Aug 05, 2013 11:39 am

Re: Qestions Qestions Qestions

Postby marzametal » Tue Mar 03, 2015 11:00 am

Got a question, perfect... I found a Questions Questions Questions thread!

Go here - https://www.grc.com/x/ne.dll?bh0bkyd2
Scroll to the bottom, click on the Proceed button... should be the one just above the footer disclaimer...

Scroll down a bit, and click on ALL SERVICE PORTS. It will run a test to see if ports are open/closed/stealth...

When I ran this test while connected to the ISP, I got all green...
isp.jpg
all stealth ports...

When I ran this this test while connected to the darknet, via Iceland, I got mixed results...
vpn01.jpg
mixed port conditions...
vpn02.jpg
vpn03.jpg
list of ports...


Should I be worried? lol...


Topic Author
Guest

Re: Qestions Qestions Qestions

Postby Guest » Tue Mar 03, 2015 3:45 pm

I do believe that's the port striping feature.
allows you to connnect to most any port to get around isp blocks.

I'm unsure if these are open to anything beyond openvpn tcp/udp connections.
I've not been able to foward ports on my kinda complex setup- haven't put much effort into figuring it out thou tbh. I think it's possible?

In any case- that's the same as the test looks for me.

User avatar

Pattern_Juggled
Posts: 1493
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Port Shuffling

Postby Pattern_Juggled » Tue Mar 03, 2015 4:46 pm

Guest wrote:I do believe that's the port striping feature.
allows you to connnect to most any port to get around isp blocks.

I'm unsure if these are open to anything beyond openvpn tcp/udp connections.
I've not been able to foward ports on my kinda complex setup- haven't put much effort into figuring it out thou tbh. I think it's possible?

In any case- that's the same as the test looks for me.


That's correct, it's what we are now referring to (mostly) as "port shuffling" - which is the ability of our nodes to listen on and accept inbound network connections from members on any port in either TCP or UDP. (we've also referred to this as port striping - my favourite, fwiw - port spraying and infamously as "port whoring"... which is descriptive but a bit overly evocative)

As we've not yet done a proper technical write-up of the feature (df did some basic outlines but since then, we've been lax in getting back to do more details), it's understandable that seeing all those "open ports" is worthy of concern.

The ports aren't actually open in a conventional sense. They do respond to pings, which itself is an opsec choice that we feel comfortable with. But they don't have services bound to them... anyway this deserves the proper write-up it's not yet received, as well as its own thread, so I'll poke the crew to see if we can get that done timely.

Cheers,

~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
[email protected]ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

marzametal
Posts: 487
Joined: Mon Aug 05, 2013 11:39 am

Re: Qestions Qestions Qestions

Postby marzametal » Thu Mar 05, 2015 7:46 am

Thanks for the clarification!

User avatar

marzametal
Posts: 487
Joined: Mon Aug 05, 2013 11:39 am

Re: Qestions Qestions Qestions

Postby marzametal » Sun Apr 26, 2015 8:52 am

Another question...
Yesterday I saw 10.44.0.25, for the first time it reached 25.
I was wondering how high can the #25 go for an exit node? Is it 255 or 32?

User avatar

Fermi
ForumHelper
Posts: 174
Joined: Tue Jun 17, 2014 11:42 am

Re: Qestions Qestions Qestions

Postby Fermi » Sun Apr 26, 2015 2:38 pm

marzametal,

The mask provided is 16 bits: ex 10.88.0.18 255.255.0.0

/Fermi

User avatar

parityboy
ForumHelper
Posts: 905
Joined: Wed Feb 05, 2014 3:47 am

Re: Qestions Qestions Qestions

Postby parityboy » Sun Apr 26, 2015 7:09 pm

@marzametal

The last octet can go up to 255, but .0 is the network address, .1 is the gateway address and .255 is the broadcast address, so 10.88.0.0, 10.88.0.1, and 10.88.0.255 are reserved. Everything else - from .2 to .254 - can be used for connecting clients.

User avatar

Fermi
ForumHelper
Posts: 174
Joined: Tue Jun 17, 2014 11:42 am

Re: Qestions Qestions Qestions

Postby Fermi » Sun Apr 26, 2015 8:13 pm

@marzametal, @parityboy,

In theory, due to the 16 bit netmask, one could even have more than the 252 connections ... 10.88.1. , 10.88.2.
IP Address: 10.88.0.0
Netmask: 255.255.0.0
Wildcard Mask: 0.0.255.255
CIDR Notation: /16
Network Address: 10.88.0.0
Usable Host Range: 10.88.0.2 - 10.88.255.254
Broadcast Address: 10.88.255.255
Binary Netmask: 11111111.11111111.00000000.00000000
Total number of hosts: 65,536
Number of usable hosts: 65,533
IP Class: A (0.0.0.0 - 127.255.255.255)

but ofc performance will limit this number ... .

/Fermi


User avatar

Fermi
ForumHelper
Posts: 174
Joined: Tue Jun 17, 2014 11:42 am

Re: Qestions Qestions Qestions

Postby Fermi » Sun Apr 26, 2015 11:45 pm

@parityboy

The default gateway of the 10. network is 8 bit (class A). It is no problem to provide this address with a 16 bit netmask (class B). But this has consequences for the broadcast address.
The broadcast address is obtained doing a binary OR between the subnet address and the inverted subnet mask. In this case resulting in 10.88.255.255 .
It is also a general misconception that the broadcast address needs to end on 255.
This is explained very well in: http://www.wikihow.com/Calculate-Networ ... st-Address.

Regards,

/Fermi

User avatar

marzametal
Posts: 487
Joined: Mon Aug 05, 2013 11:39 am

Re: Qestions Qestions Qestions

Postby marzametal » Mon Apr 27, 2015 6:54 am

Cheers for the info fellas...
Also found this on the forum, knew it was lying around somewhere but blame my hangover for not realising before asking...

viewtopic.php?f=46&t=6076&hilit=octet



Return to “member support & tech assistance”

Who is online

Users browsing this forum: YaCy [Bot] and 4 guests

Login