Boingboing bbs discouraging privacy?

I would expect that if any website was going to support the use of VPN software by its users, it would be bbs.boingboing.net.

Or is this inherent to the software? And what is it trying to accomplish?

I appreciate your paranoid-by-default stance on things (It’s good to be a skeptic) but in this case, the likely answer is someone was banned from that IP (likely, someone was banned then tried to use a VPN to get around the ban, thereby causing all those users to be banned as well).

Spammers also love to use those VPNs to spam from, so it’s also possible Akismet banned that IP as well.

There’s no “policy” being pushed by anyone, other than the community guidelines pointing out that 1) thou shalt not spam and 2) thou shalt not attempt ban evasion by using other IPs.

I supported Axents VPN for a long time, used and supported nortels, helped develop parts of blueroams openvpn implementation, set up gre tunnels, tunnel over ipsec/https/ssh, and also track entrance and exit nodes for tunneling activity.

AMA.

I’ll tell you the who, what, and why’s. But be warned, it is a deep rabbit hole.

I appreciate that those rules are necessary, but if the filtering is implemented in a way that inhibits the legitimate use of privacy software by legitimate users who aren’t violating those directives, then is there any way to come up with a compromise?

Yeah, buy a physical burner which you can tether to, pay either in cash or gift cards (paid in cash), and for the love of all don’t try and use sophisticated encryption.

Otherwise you will be mitm’ed, and stand out. Kinda like saying, “that was a lovely BBQ, comrade”.

There are other ways to identify folks than their IP, right? It’s possible to make like a fingerprint of somebody’s system based on the configuration of that system, innit?

And if so, wouldn’t that be a more robust method than banning IPs?

Also, doesn’t this kinda blow a hole in the whole anonymity via VPN thing?

VPN doesn’t anonymize you. It just protects your privacy up until your traffic emerges from the remote server that you are connecting to. VPN does provide protection when you are using an open wifi network, like at a cafe, and it protects you from having your traffic monitored by your ISP who would love to scan your actions and monitize the data that they collect on you. But you need to look elsewhere for anonymous browsing.

Yes, with client side software installed. People who believe in the Privacy Fairy probably wouldnt want to do that.

To be more factual, a VPN encrypts traffic between endpoints. The data within the tunel can of course be intercepted and MITM’d or one of the endpoints may not be in a trusted state. “Privacy” has nothing to do with it.

that is not guaranteed either. Even with a full IPSEC tunnel between an endpoint and a gateway, the endpoint will leak at least DNS which can allow an observer to infer some things.

Most of the commercial VPN products just setup SSL sessions which do not provide full traffic encryption so it is likely that an observer will see much more than just DNS queries.

Cryptography is not a magic word to be invoked randomly.

The problem is, anything that is useful online from an infrastructure perspective invariably also can be used to hide nefarious purposes as well, which in this case includes spammers. They use VPNs from botnets and compromised credit cards to spam with impunity and cause all sorts of innocent bystanders to get caught up as collateral damage as a result.

This is part of why we try to use a light touch with IP Bans, but unfortunately the VPNs, and ever more sadly, Tor nodes, tend to be the first casualties thanks to botnet and spam activity.

I’ve been managing BB’s Tor node for years now and I know firsthand from the angry emails I get as the responsible ARIN contact how many people misuse Tor to do bad things. They, by extension, make Tor nodes less useful for those who actually need them, even, ironically, VPN users, as many VPNs have to block Tor nodes as a result.

It’s a mess. I hate it, but that’s the way it is.

DNS leakage plus looking at differential packet round trip times is one of my favorite methods. The old joke of “9 proxies” is still funny, but won’t protect you. Ip banning is the blunt hammer, heck, I still do it. But differential and or statistical traffic monitoring is waay more effective.

And I’m not talking netflow garbage. TLS negotiation feature fingerprinting (that’s a mouthful), out of band network comms, timing analysis, and netblock analysis are all used today. But ya have to get it just right, or–i am not joking–you could block a billion people from your services in the blink of an eye. (Bgp giveth, and bgp taketh away)

I lol’d!

So I’m gonna guess that you dont believe in the Privacy Fairy either?

On another note, do you still remember the first time for doing a network traffic dump and watching the flows? Or the first time you saw something awful go across the wire?

Hmm. A “no post list” that lumps legitimate users with spammers because of a few bad actors from the same IP? Sounds like security theater to me

Oh God yes. The first time was just after a SANS conference. I was a young pup then, and rocked a look that made strangers come up to me and ask, “are you slim shady?”.

The most memorable is still “The Hearse”, which I uncovered in early 2000’s. Luckily the flows were only encoded–base64–not actually encrypted or XOR’ed. So I was able to unpack them pretty quick.

My boss had to translate the actual text moving across the wire. It was colloquial Russian, and he was an expat.

… I should give him a call, it’s been years.

I think for me it was in the early 90s, simple thing really, the UNIX Graybeard who was my mentor showed me how to play with tcpdump

We all do it, but you have to be careful. For example, there are a couple of class A networks that are service-grade-nat’ed so heavily, they are unblockable by IP. You’d take down countries.

However, there are also netblocks that host what are known as “bulletproof servers”. Those monstrosities can be blocked at your edge with little to no fuss.

You’re the only person in this thread who has actually used that word. That makes you the only person here to have invoked it randomly, while in the process of rebuking people for invoking it randomly.

I just found that amusing, and thought I’d share.

Gonna name-drop here, I think it was Stephen northcutt who answered my question of, “okay, we understand how to dump traffic, but what do you do next”.

The answer was basically, “pipe it into Perl”.

Good times.

Took me a few years to figure that out on my own from reading books an usenet posts.

Cryptography is to crypto nerds, VPN nerds, and most infosec/netops similar to the word Salt with chefs. It just kinda is implied the entire time.

It isn’t theatre. We have specific instances of users using throwaway email addresses to create users for ban evasion. Since we can’t block by email we have to block by IP (sometimes entire class C or B networks).

Good news is, discord itself tracks how recently these ips have been “seen” and will release those bans all by itself.

Bad actors suck. We get a lot more spammers and malicious users than meatspace does for physical security. The opportunity cost is miniscule.