So I’m pretty recent to the high seas but I’ve seen a few posts now about “stop relying on your VPN” and “people that think VPNs will protect them are naive” and so on.
So since I believe knowledge is our greatest weapon/tool/super-power, can we get some answers regarding what exactly the doomsayers are getting at? ELI5 why VPNs wouldn’t protect your anonymity.
Is it about logging? The country your end-point is in? Something more technical?
Ultimately I’d like to be fully armed in order to keep making the best choices for my fledgling ship as it navigates the vast, stormy seas.
Almost every time “regular” people get in trouble for piracy, the reason is that they seeded something, a copyright law firm (or their contractor) noticed it, noted their IP address and then either went and got the real life address from the ISP so that they could send you “the bill” or they made the ISP send you something, depending on where you live really.
That means, as long as that that IP address that shows up on that law firms screen isn´t actually “your own”, isn´t immediately traceable to you simply by calling up your ISP, you´re already one step ahead in the game.
That law firm might still try to contact the owner of that IP though, either to send them “a bill” or to get them to rat on you. And that´s why it is important that your VPN provider operates in a way that allows them to simply ignore that. Either by operating out of a country that doesn´t mandate them to “help finding you” or by simply not keeping any logs of what actual IP was connected to what VPN IP at what time.
So if you have a VPN provider that maybe operates out or through a country where piracy is legal or has proven through audits that they couldn´t rat even if they wanted, you´re highly unlikely to get into any trouble.
I think this is not how it works. It’s like saying: I’ll connect a physical lock to my laptop and I’m more secure. (Many PC laptops have on the side a standardized connector for physical locks which is often used in electronics stores)
Better to go a step back and to consider your Threat Model. What are you doing? What are things that could likely happen right now? Is <insert security solution> adding to your security/backing up your Threat Model or is it making things worse because it’s adding stuff that you don’t need, making workflows so complicated you’re likely to misconfigure?
To give a more practical example, there have been a lot of conspiracy theories about Antivirus software. In some sense the nay sayers are right and it actually adds possible holes since they tend to run with elevated privileges. On the other hand, does it really matter for your use case? If you download random stuff online, you should probably install one. (Probably also for your fellow humans so your computer doesn’t end up being a botnet host) But if everything on your computer is hand-picked ™, you might be actually right and they decrease security.
You shouldn’t even to it that way. If you run possible malicious Software, the antivir has a chance to miss it. If it’s a new virus. Run everything in a sandbox and check if it calls some kind of control server and let the antivir check it in said sandbox. Than you can transfer it to your main PC
Because it’s all a scam. You aren’t any more private than before. You just shift from point A to point B who knows the most about you. Then there are advanced analytics. You have a encrypted connection but if they know you used a VPN-Y. to talk to server X and server X has a seed for the new flash movie they still got you. It’s just a bit more complicated to get beyond resonable doubt. So the protection is that you hope your enemy isn’t interested in a bit more work. In a way you put a marker on your traffic by using a VPN that there might be something interesting.