After writing my first VPN service review a couple of weeks ago, I asked my readers "what other VPN services" I should evaluate. A much-requested one was HideMyAss (HMA), so here is that review.

You can't evaluate VPN service providers without seeing HideMyAss.  They have ads everywhere. My first experience with HMA was through a 1-month free offer provided by Anonabox. 

Most security blogs and posts on review sites give HideMyAss a poor rating because they have (allegedly) turned over user log information to authorities (without putting up a fight).  Others complain that the service is "feature light".

HideMyAss has a massive network of termination points (one of the biggest in the world). 

HideMyAss cost

HideMyAss has increased its prices over the years and has a single tier plan (aka you don't pay for usage volume or number of connected devices).

Your commitment term determines your monthly price. At $6.99 for 12-months, they are competing with the likes of VyprVPN and ProtonVPN. HideMyAss is almost double the price of Internet Private Access (IPA), which is regarded as one of the best from a privacy-guarding perspective. Another much more popular cheaper alternative is UnlimitedVPN.

Once a season, HideMyAss does run a 50% off promo so....

HideMyAss features

The first major feature is the sheer size of its VPN network. HideMyAss offers 720+ VPN servers in 320+ locations in 190+ countries.

Now we get to the less feature part of our program. HideMyAss VPN support's two simultaneous connections per subscriber. ProtonVPN supports 2 with it's $4 a month basic plan. VyprVPN supports five simultaneous connections with its $6.67 a month plan. VPN Unlimited is offering a $49.99 lifetime plan with five simultaneous connection support. 

HideMyAss supports OpenVPN, PPTP and L2TP. 

People who buy HideMyAss aren't power users but people who are looking for a "simple" VPN solution with an extensive termination network. They support terminations in locations like Servia and Malawi.

Is HideMyAss Secure and Private?

So many security forums and Reddit threads discuss how HideMyAss (allegedly) turns over user data to police with little pushback. The most prominent example of this accusation is a 2011 situation where it is believed HMA turned over user information for Cody Kretsinger. Cody Kretsinger was a member of LulzSec and arrested by police for hacking Sony Pictures (he was convicted of the crime). 

There are dozens of other such claims, just do a quick Google search.

Reading the End User License Agreement, you learn that HideMyAss (Privax) is a UK company and is now owned by Avast (a Czech company). The UK is not known as a haven for privacy (e.g. snoopers charter). Most UK providers must maintain rich metadata logs.

The HideMyAss privacy statement for their VPN service says "We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service. We collect aggregated statistical (non-personal) data about the usage of our mobile apps and software." HMA claims this information is kept for 2 to 3 months but the UK Investigatory Powers Act requires that this type of information be kept for 12 months.

Does HideMyAss allow Peer2Peer networking? The answer is Yes for legal content and no for illegal ones. Here is an example of a Reddit thread where a user claims HMA cut-off his service for downloading copyrighted content. In this thread, a user called neonovo says "Yes, two dmca notices from the vpn hide my ass, which as they did not hide my ass I did some much-needed research and found btguard.

If you want to download torrent based content (legal of course), you should check out the list of torrent friendly providers maintained by TorrentFreak. 

Is HideMyAss secure?

I emailed HideMyAss support asking for details about its encryption technologies and directed to this support write-up. This write-up does not answer any of my questions about what cyphers are used and how. I believe some of their protocols (like L2TP) use pre-shared keys (which is a bad thing).

Without any additional information, I have to assume the worst and say "I don't consider HideMyAss secure at this point". My starting position is to assume technology is insecure unless proven otherwise.

I could not find DNS leak protection as an option in the Windows client, but my tests showed that it did not leak DNS information. 

HideMyAss performance

Assuming everything above didn't scare you away, you may be wondering about performance. Anytime I perform a VPN test; it is done using a 100MB fibre connection (<10ms ping) with a cleanly installed and patched Windows 10 computer connected directly to the internet connection. 

Some HideMyAss connections had excellent performance, and other's cut my throughput by more than 50%. Through trial and error, you will be able to find the servers that work best for you, but there is no automated performance cataloguing function. 

One item I will add here is the ability to get US Netflix. I  test this with every VPN and Netflix never works, except this time it did with one of the US servers I tested. Since it did not work consistently, I am assuming there were a couple of IP addresses Netflix hadn't catalogued as VPN yet. 

Conclusion

I don't use VPN to hide illegal activities. I use VPN to protect my privacy when I am using untrusted networks or from my ISP [read Your ISP is tracking you]. With everything that I learned during this review, I can't recommend HideMyAss. There are so many better options (in my opinion) that you shouldn't settle for a company that doesn't go the extra mile. 

There's a good chance you never heard about Microsoft's very unpopular Grove music streaming service (Apple Music, Google Music, Pandora, Spotify, Deezer, etc.). 

Microsoft is determined to change the fate of this little-known offering by enticing you to subscribe with a fantastic deal: when you buy a single month of service for $US9.99, they give you two 3-month vouchers to share or use yourself. 

If you are a Microsoft fanboy already paying for this service, then you are out of luck, this applies to new subscribers only.

Here is the fine print:

This is unfortunatly a US only deal. 

You can subscribe here. 

The question I receive the most is "what VPN service should I use when I travel?".  I started writing and testing the most popular ones and so far you can read these ones:

• Honest review of the ProtonVPN service

• Beware of the fake VPN provides

• KeepSolid VPN Unlimited Review

• VyprVPN Review

The next most requested service is Private Internet Access (referred to online as PIA). 

Introduction

Private Internet Access (PIA) is one of the most popular and affordable VPN service providers around. At last count, PIA offers 3,193 servers hosted in 24 countries. PIA belongs to an organisation called  London Trust Media, Inc. 

The tech

Private Internet Access is an easy choice for the general consumer because of the wide range of clients it supports: MacOS (10.4 and newer), Windows 7/8/10, Unix/Linux, Ipad/iPhone (PPTP, IPSEC, L2TP), Android (PPTP, IPSEC, L2TP, OpenVPN), DDWRT, Tomato OpenVPN, PfSense OpenVPN.

It not only securely reroutes your traffic but it can also block ads, trackers and malware. It does support P2P traffic and has a strict no log policy. 

Rick Falkvinge, head of privacy at PIA, talking about their no log policy and why it's important.

The client

Their clients are simple and straightforward but offer interesting features like the level of encryptions, DNS leak protection and a kill switch (to stop all traffic if the VPN drops).

It will let you pick a region to exit from but not a particular server. 

PIA allows you to connect up to 5 devices simultaneously. 

The speed

For comparison purposes, I tested PIA against ProtonVPN, ProXPN, UnlimitedVPN and VyprVPN. All terminating in Canada. My connection to the internet was a machine connected straight into my internet router with no other traffic (keeping all the variables controlled). The machine was a freshly imaged version of Windows 10 with all of the latest patches applied and only Google Chrome installed.

My connection is a 100MB down / 10 MB up. Without a VPN I usually get performance slightly better than advertised. With VyprVPN (the fastest), I managed to get close to 95MB down / 9.6 MB up. With PIA, I managed to get 87 MB down / 7 MB up. 

My ping without a VPN was below 12 ms but hit around 25-50 with PIA. 

Netflix?

People want to know if they can access US Netflix via PIA and based on my testing, the answer is: almost never. During my testing, Netflix detected the PIA connection and blocked access. A small number of recent online comments (on various sites) said Netflix worked for them but I was not able to reproduce it.

Support

I had no need for support but read dozens of complaints online about their support. Your mileage may vary. 

Price

The annual price here is a no-brainer: $39.95US a year everything included. This is an incredible deal. VyprVPN comes in at ~$80 a month (paid annually). 

Conclusion

PIA offers a trusted and well respected VPN service for a very competitive price. If you need a layer of protection from your ISP then this is definitely an option you need to consider. Advanced users may find the sparse low granularity interfaces annoying but then again, sometimes you just want things to work without having to tinker. 

UPDATE 7/5/2017: My connection to the ProtonVPN endpoints using their Windows client is extremely unreliable. At random intervals, the connection just "stops working" and the only way to fix it is to connect to a new location. I have had a support request open for over 1.5 weeks and my issue hasn't been resolved yet. I cannot recommend the ProtonVPN service at this time for the reasons listed below and because my experience has been unstable (and support has been slow to non-existent).

------------------------------------------------------------------

Since the official public launch, I have received dozens of emails (and Twitter DMs) from readers asking me to review ProtonVPN. 

A group of scientists with a track record of building secure products (ProtonMail) designed ProtonVPN from the ground up to be safe and privacy-enhancing.  The promise is that they will bring the same end to end encryption model to the highly uncertain world of VPN.

They talk a lot about the benefits of being headquartered in Switzerland, and many of their statements are accurate. Let's talk about the Five Eyes

Who are the "Five Eyes"?

With the Edward Snowden leaks, we learned about the complex data collection agreements between "friendly" countries. The first significant agreement is called the UKUSA agreement and is an agreement by the United Kingson, United States, Australia, Canada and New Zealand to collect, analyse and share intelligence information with each other.

This group is referred to as the "five eyes" because of their laser-like focus on sucking up incredibly massive amounts of data and sharing it with their "partner" intelligence friends. Some have even accused these countries of using this partnership to circumvent local laws designed to present local intelligence agencies from spying on their people (they get another five eyes Country to do it and report back).

So the Five Eyes countries are:

1. Australia
2. Canada
3. New Zealand
4. United Kingdom
5. United States

Not wanting to be left out, other countries soon sought membership in this coveted group, and now we believe the extended group should be called the 14 eyes:

• Denmark
• France Netherlands
• Norway
• Belgium
• Germany
• Italy
• Spain
• Sweden

Switzerland is not part of the 14 eyes (or five eyes)

So protonVPN is located in a much more privacy friendly jurisdiction that does not have a formal intelligence gathering and sharing agreement with the rest of the world.

ProtonVPN technology

ProtonVPN uses industry standard OpenVPN with UDP or TCP. It currently has a ProtonVPN branded Windows client.

As I write this, ProtonVPN allows you to use any OpenVPN client with their service which is how you can connect from IOS, Android, MacOS or Linux. We are being promised clients for these platforms, but there is no firm committed to date.

Does ProtonVPN slowdown my connection?

I did extensive testing of the ProtonVPN service from various internet connections (home, office, coffee shops and three different cell phone providers). I also used different clients (Windows, MacOS, Android and IOS). 

If you are using (non-secure core) close by exit node with low traffic, the performance hit is usually 5-12%. This is no better or worse than other high-quality VPN providers. When you turn on secure core routeing, you can lose 20-45% of your connection speed because it is sending your traffic through 3 secure data centres plus the exit node. 

What is the Secure Core Technology?

Secure Core is a nice enhancement to traditional VPN technologies that pass your traffic through multiple ProtonVPN owned and managed servers before finally delivering it to the exit node. 

Why Secure Core?

Secure Core was created to add additional protection when your exit node is in a "high risk" jurisdiction. As an example, you may want to exit in the US to gain access to geographically locked content but want to ensure your privacy is protected (knowing that almost all US traffic is captured, analysed and stored).

What does Secure Core protect against?

Leaked documents have shown that governments can deanonymize TOR traffic by controlling a large number of TOR exit nodes. The same can be done using VPN exit nodes. Most providers use local service provider facilities, networks and computer as termination points for their VPN service.

The three VPN services I am testing right now (ProtonVPN, UnlimitedVPN, ProXPN) all use Amanah Tech as their Toronto-based exit point. If a government agency were to compromise the equipment, they could then start de-anonymizing traffic flowing through it.

By routeing your traffic through multiple (typically three), ProtonVPN owned and managed devices in secure jurisdictions first; they make the de-anonymization (even if a government agency compromises the exit node) much more challenging.

When most people think of governments monitoring internet traffic, they think of (China, Russia, Iran and Turkey). It is important to remember that the 14 Eyes also monitor internet traffic and share the data amongst themselves.

Does ProtonVPN support Peer to Peer protocols (P2P)?

Like all VPN providers, ProtonVPN does not condone the use of their service for any illegal activities (including the illegal download of copyrighted content via P2P networks). Before I start receiving hate mail, I know there are legitimate uses for P2P technologies (like Resilio Sync or Tails OS).

ProtonVPN clearly marks endpoints that they recommend you use with P2P traffic:

The double arrows mean that is a P2P supported exit node. The Onion icon next to Switzerland is an example of a location that has a TOR entry node.

Does ProtonVPN log?

ProtonVPN is built on a pedigree of privacy, and their stated logging policy exemplifies that. ProtonVPN has a No Logs policy which means they do not store any information about your connection, what you do while connected and where you connect from.

The only information they log (for security reasons) is a single timestamp of the most recent logging from your account.

ProtonVPN sign-up

Potonmail and ProtonVPN have linked accounts and payment can be made via Credit Card or Bitcoin (instructions).

ProtonVPN goes to great lengths to protect your identity, but I would still say it is a privacy tool and not an anonymization service. The best anonymization system is still the free TOR browser(you should donate to them if you haven't already).

ProtonVPN Paid Plans

ProtonVPN offers a free plan but most users will want to upgrade to the Plus paid plan.

VyprVPN which is one of the best-in-class VPN providers offers an annual paid subscription for ($6.67 a month). This plan includes their Chameleon protocol (which hides the fact you are using a VPN and makes it usable from some highly restrictive locations). One of the other VyprVPN advantages is that they use their servers and networks as exit nodes. Is the $1.33 a month worth it? That is a personal question. VyprVPN offers Chameleon, but ProtonVPN offers Secure Core. Either will serve you well, but right now I still have to recommend VyprVPN. My recommendation would quickly switch to ProtonVPN if they released clients for the other platforms. 

ProtonVPN recommendations

ProtonVPN is a good attempt but there is definitely room for improvement:

1. Release clients for all major platforms [ongoing]: MacOS, IOS, Android.
2. Build a VPN hiding mode to enable use in highly controlled locations (like Chameleon on VyprVPN and KeepSolid Wise on Unlimited VPN). 
3. Create mini 2-minute tutorials for the various functions (TOR, Secure Core, P2P support, etc)
4. Mark the Plus servers for Plus/Visionary customers
5. Have a way of routing VPN traffic (for Plus/Visionary customers) that does not show up as a proxy on Hulu, Netflix, etc)

Conclusion

I have tested about a dozen VPN services over the last year and the top provides are:

• UnlimitedVPN: Ease of use and speed
• VyprVPN: Ease of use, Chameleon protocol and they use VyprVPN owned servers and networks
• ProtonVPN: Privacy oriented Swiss-based solution

The first two are amazing if used in the right context. If ProtonVPN answered my top 5 recommendations, then they would be the clear winner, but I cannot recommend an $8 a month VPN service without native clients on key platforms. As much as I want to, I simply can't.

Right now, I would say ProtonVPN is an excellent choice if most of your use will be on Windows. Otherwise, try VyprVPN for now and check back with Proton in a couple of months to see how the service has evolved. 

I've written 2 reviews for VPN Services recently:

• VyprVPN Review
• KeepSolid VPN Unlimited Review

I've also written 2 reviews for WIFI VPN/TOR portable boxes:

• Anonabox Review
• Invizbox Go Review

One item I have never covered is the proliferation of scammy VPN services sold by snake oil salesmen. 

With the Edward Snowden leaks and all the media coverage about the loss of online privacy, even the most complacent internet netizens are starting to think about securing their online presence. Protecting it not only from government agencies but from unscrupulous websites and even their own ISP (Your ISP is watching you).

So what was once the domain of geeks and corporations (VPN) has now become mainstream. The truth is the tech behind VPN is complicated for the average Joe to understand and most are simply not interested in digging into the details. It is this nonchalance that attracts scammers trying to make a quick buck. 

Example of scam VPN Service

MySafeVPN was a fake VPN service created by unknown bad guys trying to scam users. They obtained a confidential Plex database and used the customer emails as targets. Each target received an invitation pretending to come from Plex and offering their brand new VPN service called MySafeVPN (discussion thread here). 

Once Plex found out about this fake service, it provided an official rebuttal statement to its users. The scammers quickly disappeared and took the money raised with them.

Copying legitimate services

Scammers are inherently lazy and love copying what already works. They often copy the look, feel and content of legitimate VPN providers, making it hard for the "average Joe" to distinguish the good from the bad.

Telltale signs of a scammy VPN provider

It's free or unreasonably cheap

Running a VPN service costs money. Providers have to pay for hosting, servers, development and connectivity. If the price is unreasonably cheap, it may just be a pretty interface to public proxy servers or they probably have another revenue stream (like selling your services or injecting malware into your traffic).

Reputation, reputation, reputation

Search the web and figure out how long the service has been in business. Unless I know something about the founders, I tend not to trust new VPN services (e.g. ProtonMail create ProtonVPN so I trust them). Search forums for comments (positive or negative). If a bunch of the comments seem to be posted around the same time period, assume that they may be fake. 

Outrageous claims

Reputable services provide a certain level of technical detail to backup all of the claims they make. As an example, ProtonVPN has a "Secure Core" technical which enhances security and privacy. In addition to just talking about it, they provide the technical details about how it works. Beware of VPN providers that make grandious claims without any technical supporting information (e.g. The fastest, the most secure, etc).

Support model

A real VPN provider will have solid support channels to ensure it's customers are happy. As an example, KeepSolid VPN Unlimited provides support via online form and email. Additionally, you can contact them via Twitter. When you submit a question, they will respond within a reasonable timeframe (even if you are testing the service or aren't even a customer yet).

Conclusion

Like all fraud, detecting fake VPN service isn't always easy or straightforward. I hope the tips and tricks I have provided here will help some of you avoid these unscrupulous scam artists. As always, if you have questions or comments, feel free to post a message below or tweet me (@ekiledjian). I normally answer questions within 48 hours.

VPN Unlimited is one of the most popular VPN services available and for good reason. It is fast, reliable and competitively priced (deal below).

VPN Unlimited is a USA based provider and offers termination in more than 30 countries (with multiple locations in most countries). VPN Unlimited has good platform support (Windows, Mac, iPhone, iPad, Android) and very well written clients.

Above is a screenshot of the protection menu option on their IOS client. When set to High security, they (in addition to VPN protection) automatically add anti-malware, tracking blocking and ad blocking.) All of this extra security is done at the network layer without the need to configure any additional applications or pay additional fees.

Like most VPN service providers, VPN Unlimited specifically mentions that they do not allow illegal torrenting via their service. They recognise that not all torrents are illegal and allow the use of the BitTorrent protocol on these VPN termination points: US-California 1, Canada-Ontario, Romania, Luxembourg, and France servers.

A question I get asked often is "Does VPN Unlimited support OpenVPN on iOS, iPhone or iPad?" The answer is Yes! As shown in the above screenshot. Additionally, they support a protocol they call KeepSolid Wise (similar to the Chameleon protocol on VyprVPN). KeepSolid Wise uses common ports (TCP 443/USP 33434) which help bypass firewall restrictions and packet shaping control for most environments. KeepSolid Wise is available on iOS, Android, MacOS, Linux and Windows clients.

I setup VPN Unlimited on a Windows machine configured for maximum privacy. I then ran a battery of tests to determine how well it protected my privacy.

• does not leak DNS queries when in VPN mode (go here to test)
• does hide your actual IP address (go here to test)
• does not leak IP or DNS information via JAVA or Flash ( Go here to test)
• protecting P2P traffic. Although I do not condone or encourage the use of P2P tools to steal protected media, there are dozens of legitimate uses for P2P technology. It is important to ensure your VPN product protects you while using P2P and VyprVPN did. You go to this site and the find the Torrent Address Detection. You download their magnet link into your P2P client of choice then activate the test. If it shows your real IP or DNS, you are not protected. You should only see your VPN address here.
• VPN Unlimited is not subject to WebRTC leaks when in VPN mode (go here to test

VPN Unlimited seems well written and does offer good protection.

Deal

VPN Unlimited is currently running a couple of specials that are worth considering (I bought the unlimited plan):

• KeepSolid VPN Unlimited lifetime subscription for only $49.99 (for 5 devices)
• KeepSolid VPN Unlimited 3-year subscription for only $29.99 (for 5 devices)
• Add their Infinity Plan (aka 5 additional device licenses) for $14.99  but you must own one of the above subscriptions

Conclusion

The best summary I can give you is that VPN Unlimited has a permanent stop on the first page of my iPhone and I use it regularly. 

VPN Unlimited has decent privacy policies but isn't the super secret spy-proof identity protection service. If you want to protect your connection while out and about, VPN Unlimited is cheap, fast and reliable. If you want a super secret identity protecting connection then create your own VPN service on AWS or Azure using one of the pre-made scripts.

Questions

Does KeepSolid Wise work in China?

China severely controls encryption and in some cases slows down encrypted connections making them barely usable. A friend recently travelled to mainland China and reported that VPN Unlimited (with KeepSolid Wise UDP) worked flawlessly.

Does KeepSolid VPN Unlimited support video streaming?

Some of the cheaper VPN providers limit the quality of video from streaming sites because these stress the technical infrastructure of the provider. VPN Unlimited supports streaming video on all termination points but also makes available streaming optimized termination points which are specifically designed to work "better" with sites like Youtube, Dailymotion, Vimeo and more.

Does KeepSolid VPN limit connection speed?

There are dozens of factors that contribute to your overall internet speed but VPN Unlimited does not have tiered pricing based on speed and does not limit connection speed in any way. On most clients, they even show the workload on each termination point which means you can choose one with the least amount of current load (which should lead to better performance).

Does VPN Unlimited support Chromebooks?

VPN Unlimited has a Google Chrome plugin (which works on Chromebooks) and allows you to protect your web browsing only. Obviously as a proxy, it is less secure and missing many of the additional features you expect from VPN Unlimited but it is a great way to browse quickly (securely) and a great option on a Chromebook that doesn't require Jedi level knowledge to implement. 

VyprVPN owns and manages its own networks and servers. During my recent VPN testing shoot-out, VyprVPN consistently ranked as one of the fastest VPN providers out there. 

In addition to raw speed, they have an incredible list of supported clients from traditional PCs (Mac, Windows, Linux), to routers (DDWRT, OpenWRT, AsusWRT), smartphones (iPhone, Android, Blackphone, Network Attached Storage (QNAP, Synology), TVs and the Anonabox. 

Contrast this to other popular VPN solutions like UnlimitedVPN, which only supports a small number of custom made clients.

It's VPN clients are well designed with easy to use interfaces and useful features (kill switch, auto-connect, etc). A cool and useful feature is called Chameleon. They explain Chameleon as:

The first important note is that the Chameleon protocol is not available for IOS due to Apple restrictions on the VPN function. I had the opportunity to test the Chameleon protocol on a Windows laptop from a corporate network with strong VPN restrictions, an ISP that throttles VPN traffic and from a country that severely slows (painfully) down VPN traffic. In all three of these situations, the Chameleon protocol delivered that it promised.

• It punched through the heavily controlled corporate network
• When used with the ISP that throttles "normal" VPN traffic, it managed to trick the provider and I was able to use a full speed connection
• A friend travelling to a highly restrictive country compared VyprVPN to 3 other VPN providers and VyprVPN with the Chameleon protocol was the only one that seemed to operate at normal speed (aka didn't seem to be artificially slowed down)

With more and more internet traffic being encrypted, many companies, organisations and governments have turned to DNS based control tools. DNS is still an unencrypted means to determine web destinations. DNS be used to prevent a user from accessing certain types of sites (religious, political, pornography, etc) and to log web browsing habits. It can also be used to redirect your traffic (quickly without you even realizing it), to inject your session with malicious code and c compromise your device. VyprVPN offers their own self-managed private "no log" DNS solution to protect their customers from DNS snooping and control.

VyprVPN offers a clear and well-written privacy policy. Obviously you aren't anonymous but in summary, they retain " Each time a user connects to VyprVPN, we retain the following data for 30 days: the user's source IP address, the VyprVPN IP address used by the user, connection start and stop time and the total number of bytes used."

And they offer a wide range to termination locations.

VyprVPN and leaktests

I setup VyprVPN on a Windows machine configured for maximum privacy. I then ran a battery of tests to determine how well it protected my privacy.

• does not leak DNS queries when in VPN mode (go here to test)
• does hide your actual IP address (go here to test)
• does not leak IP or DNS information via JAVA or Flash ( Go here to test)
• protecting P2P traffic. Although I do not condone or encourage the use of P2P tools to steal protected media, there are dozens of legitimate uses for P2P technology. It is important to ensure your VPN product protects you while using P2P and VyprVPN did. You go to this site and the find the Torrent Address Detection. You download their magnet link into your P2P client of choice then activate the test. If it shows your real IP or DNS, you are not protected. You should only see your VPN address here.
• VyprVPN is not subject to WebRTC leaks when in VPN mode (go here to test

VyprVPN seems well written and does offer good protection.

Beware of the unknown

The only information that we have about the service comes from VyprVPN themselves. Remember that none of the statements about privacy and logging have been reviewed by an independent third party.

They are a US company and therefore they are subject to US data collection laws including the infamous National Security Letter (NSL). 

The above caution statement isn't unique to VyprVPN. I am not aware of any consumer VPN services that have been independently audited but it is still an important factor to consider. 

Some users may want to use a non-US based VPN provider to ensure the company is beyond the legal reach of US laws. The one I am looking into right now is ProtonVPN (which I will be reviewing shortly).

Other users may choose to roll their own VPN solution (lifehacker instructions using the Algo script or you can use anyone of the other scripts that almost automate the creation of a private dedicated VPN instance you control like OpenVPN Road Warrior, streisand, etc.) 

Conclusion

VyprVPN is a fast service with a broad selection of clients and a decent privacy policy. If you are performing illegal activities or are a human rights activist in a questionable region, this probably isn't for you. If you are a "regular" user looking for a decent level or privacy when using the internet, then this is definitely something you should consider. 

For the casual user that only connects to a VPN when using public WIFI, you may want to look elsewhere because VyprVPN isn't cheap. A prepaid annual subscription costs $6,67 a month (or $12.95 paid monthly).A casual user can buy a lifetime subscription to UnlimitedVPN for $49.99 here or a 3-year subscription for $29.99 here.). 

I started testing ProtonVPN recently and will write a review shortly but their offering (plus level) is $8 a month prepaid for 1 year). VyprVPN offers the Chameleon protocol, more servers and their own DNS service (which ProtonVPN does not yet). 

So the price is on the higher end but is in no way the most expensive. For the very casual user, you could be better served by another provider, but for the more security conscious user or traveler, this is definitely a service to evaluate. 

Think of all the valuable data your PC contains (pictures, files, invoices, contacts, etc). Now imagine losing all of that data Virus' are still a thing but you should be more worried about ransomware, worms and all of the other digital creepy crawlies roaming the net looking to make you their next victim.

Go read my article entitled "How to secure Windows 10".

Backup everything, then back it up again

In 2012, I wrote an article entitled "The best way to protect your data - images, music, documents". The main point is that you should always remember the 3-2-1 rule of backups:

1. Have 3 copies of all of your important data (1 primary and 2 backups)
2. Make sure your 2 backups are on separate media technologies (e.g.1 on a hard drive and the other in the cloud or 1 on a hard drive and the other on a tape backup)
3. 1 of your backups should be offsite in a remote location that would not be impacted by a major disaster that hits your area (e.g. in the cloud).

The advantage of most cloud backups is that they support version control which means if you infect your files with ransomware, you can always go back to  a known good version. My backup strategy involves:

1. 1 primary version of my data and a local hard drive backup
2. 1 complete synchronization of my files on a fully encrypted trust no one online storage service
3. 1 complete backup using a remote backup service (like backblaze or carbonite)

Update everything

WannaCry created an incredibly outcry in the tech world with thousands of companies getting infected in hundreds of countries. The truth is that an update published 2 months prior patched that vulnerability. Updating computers in large companies is complicated but your home PC shouldn't be.

You must must must update your operating system and applications regularly to stay protected.

The latest version of the operating systems from Microsoft, Apple and Ubuntu are all configured to auto-update themselves. In addition to the OS, make sure you periodically check for application updates.

If you use an Apple Macintosh computer, you may even want to use something like MacUpdate Desktop to constantly check if any of your installed apps have updates available.

Leave the built-in firewall on

Some "Security" apps turn off the built in firewall but it is critically important to ensure it is always on. On Windows, you can turn if on/off with these instructions. You can find information about the Apple Mac application firewall here. 

Use an antivirus

The question I get asked the most often is should I buy a third party antivirus for my home computer and my answer is no. Anytime you add a third party tool, you increase the attack vector therefore rely on what Microsoft bundles with Windows 10. You can follow these instructions to change the Windows Defender Antivirus cloud-protection level to 10.

In February I wrote an article entitled "Companies buying bitcoin to prepare for cyber extortion" and in there included this paragraph:

You can run something like RansomFree on your home PC in addition to the Windows antivirus. 

Upgrade the fleshware

The truth is that even the best most advanced technology can't prevent an infection if the user does something stupid. Often users are the weakest link the the corporate security chain and you are no different. 

Using good security hygiene will go a long way to protecting you. Basic tips:

• never open an attachment from a user you do not know well or that you are not expecting
• never click on a link embedded in an email
• never install applications from untrusted sources (including torrents or anything pirated)
• Remember that you can also get infected from a website so use Google Chrome with the the Ublock Origin plug-in

What to do if you get infected?

If a user's PC or Mac does get infected, their first thought is to find someone that can clean it. The truth is that once your PC is infected, it can' really be cleaned properly or trusted. At that point, you must do  a clean re-installation from a known clean source and then recover your files from a known good backup.

Some technical support companies will offer cleanup services but don't do it. Once your PC is infected, you don't know what else could be lurking in the background waiting to strike again. The best course of action is to start fresh.

Hopefully you have backups and everything will work out just fine. If you don't have backups and your files are encrypted by ransomware, you can always check out a free online site called No More Ransom Project and see if they offer a free decryptor for your ransomware. There are no guarantees your infection strain has a decryptor but it doesn't hurt to check.

Phishing is a powerful and effective tool and a favorite in the threat actor arsenal. So what happens when your cloud provider gives threat actors a roadmap to steal from you?

A couple of weeks ago, Workday sent a security advisory to its customers regarding a phishing campaign targeting its customers. Although details of the attack campaign are light, here is what I believe is happening based on discussions on various darknet forums.

What was the Workday phishing attack model?

First, none of this is a weakness or vulnerability in Workday or any of its systems or processes. The threat actors send an email to employees, pretending to originate from a high ranking executive (CFO, CEO, SVP HR, etc.) and are asking, asking them to log into "Workday" to fix an issue. This fake Workday site harvests the credentials which then allow the threat actors to log in and change direct deposit accounts for employees thus stealing money. 

Based on reports I have seen, these emails are professionally written (so they do not contain the telltale signs of being a scam) and are currently not being caught by many large spam filtering services.

How did Workday facilitate this attack?

Like many SAAS and cloud service providers, Workday proudly displays a ling list of satisfied customers on its webpage. This marketing list basically becomes an attack plan for these threat actors by knowing exactly which customer to target with which SAAS provider name and which attach to use. 

Security is a balancing act. It always has been and always will be. Ultimate security means severely reduced usability and no marketing. More marketing and usability means less security.
 

Security is a balancing act

Marketing is tasked with growing the business and nothing helps more than social proof (aka showing others that have made the same decision you are thinking about). The fact Workday marketing is publishing hundreds of customer names on its website is aligned with their objective of supporting business growth. After all, why should marketing avoid using all of the tools available to it just to protect the business from some attack that may or may not occur?

Even if marketing hadn’t published an exhaustive list, they probably would publish a press release when a new big-name customer was signed. This means a determine attacker could build his own list of high-value targets. Right?

As an example, they published this press released in April entitled “Workday Continues Momentum in Canada.” This wonderful piece of marketing includes this section:

To be clear, this is not a Workday issue but a generalized cloud services provider issue. As an example, a service provider called CVM solutions has a customer search on its webpage:

Where does marketing end and security start? 

Stop making it easy

In addition to publishing a customer list, most Software As A Service (SAAS) companies publish a custom login page for each customer (which is usually pretty easy to find).

In Workday's case, you go here

Enter the customer name of a customer and find their login page

Again this is a common practice by many large SAAS providers. Even a giant like Microsoft does this for their Office 365 in the cloud offering. I searched the web for Microsoft Office 365 success stories and stumbled on blog post. 

So I know the American Cancer Society uses Office 365. I then need an email address to plug into the portal page so Microsoft switches me to their customized Office 365 login portal. In this case, I chose to use a service called Jigsaw.com (from Salesforce.com) and found the email address of their CEO.

Keep in mind that finding email addresses is easy. There are billions of them on the web. There are dozens of hacked site database dumps every week. This is trivial but I chose Data.com just to show it visually here.

You then are sent to the appropriate login page for authentication.

If you are a threat actor, you scrape this page, register a close-looking URL and then target all of the users of Cancer.org you can find (remember there are huge lists everywhere on the web and darknet if you know where to look).

Let's be real

Marketing is a business necessity and every company has an obligation to maximize its top line by leveraging everything it legally can. As a potential customer, I love hearing about other customers that have already chosen the product I am evaluating and learning how they leveraged it to improve their operations (Social Proof - Social Influence). If a vendor tells me that one of my main competitors chose their product and that it is contributing to their success, I really want to know more. How can I leverage their tool too?

If I am a threat actor and determined to phish a particular company, there are other means for me to collect the data I need. A popular technique is called Open Source Intelligence (OSINT for short) and the folks at Rapid7 provide a nice example here. 

Using OSINT techniques, they provide a list of customers that include SAAS providers in their publicly available SPF records.

So the question is how easy to we want to make it for threat actors? OSINT is intelligence gathered from public legal sources but it still requires a more sophisticated attacker. Publishing a list of customers on your website means even the most garden variety kiddy "attacker" can easily target your customer.

I've spent half my career on the consulting and services provider side and understand the hugely powerful tool of social proof. If I tell a small shop owner other small shops (like his/hers) are using a tool and have found it immensely useful, that is a huge motivator. People love seeing others like them making the same decisions. It validates their choices. 

The company I work for recently conducted product reviews for various security tools, and  having spoken to another large multinational customer was one of the reasons we chose that product. It validated our findings and also showed others (like us) made the same conclusions.

There is no real answer

I'm going to disappoint you and say there is no magical silver bullet . Obviously user awareness is critical, since most often, the human firewall is what will allow or prevent an attack. 

Companies have and will continue using customer names to convince the next prospect to jump on-board. Threat actors will always continue to be create and find news ways to do bad things to good companies.

I believe the only solution is to ensure marketing and security are talking regularly and openly about strategy and impact. It is only through tight collaboration built on mutual respect and trust, that companies can decide what the right balance is between public disclosure and security.

To a hammer, everything looks like a nail. To a security professional, everything looks like a security vulnerability, but it is important to remember that sales is the only reason you are around. Our job as security professionals, is to provide enough security to protect our customers and support our business objectives. 

American politics is an extremely divisive issue and I will not be taking any sides in this debate. The purpose of this article isn't to promote any sides but rather to talk about how encrypted communication tools are being used.

Michael Moore launched a sub-page to his domain called Trumpileaks. The purpose is to give whistle blowers a "secure mechanism" to share information. 

The website recommends a bunch of encrypted messaging apps to share information via the web or by traditional mail. It recommends the use of Signal, Peerio, WhatsApp, Encrypted Email (Protonmail), traditional mail or general email if you just don't care.

These tools are very good for general secure communication but not if you are trying to "hide" from the american intelligence community. All of these tools leave a crumb trail of meta data which can be tracked back to you and the fact this isn't mentioned is irresponsible (my opinion).

What follows is not an exhaustive operational security guide (OPSEC) but just general recommendations.

Protecting your network access

The first thing you will want to do is protect your network identity, which would be used to narrow down a list of suspects when trying to identify you. 

Connect from free WIFI

The first recommendation is to use free open WIFI in a location away from your normal living areas (home, work, etc). Chose a place that is relatively far away like a coffee shop. Before using it to leak info, make sure you visit it looking for cameras in and around the area. When visiting it do not buy anything or leave any trail you were here. 

Remember that your cell phone is a beacon that broadcasts your location constantly and turning it off doesn't work. Either leave it behind or place it in a cell phone blocking Faraday cage bag (buy or make your own). You must block your signals before leaving your house.

I recommend going to your end location using public transit (since your car can get tracked via license plate or in-car navigation). Pay using anonymous transit tokens purchased with cash.

Use an anonymous VPN

Once you have found a good location, you will need a VPN device like the Invizbox (review here or you can buy it here. Since you will use this once, I recommend buying one with 2 months of VPN access. Invizbox allows you to buy via Bitcoin so do that. Make sure you setup a non trackable one time use bitcoin wallet for this transaction and ship the device to a fake name/fake location (so it can't be tracked back to you). 

Set up the Invizbox a couple of days before using a secure machine (described later), at another anonymous WIFI location using fake information. 

Use a service like Fake Name generator to help you create your fake identity. 

When setting up your Invizbox Go, use their VPN service to connect to a location like Switzerland. but do not use their TOR service.

How to buy anonymous bitcoin

Cash is king but for some transactions you may need bitcoin. You can use a site like LocalBitcoins to find a local Bitcoin trader that will allow you to pay cash and stay anonymous. 

Keep transferred amounts small so as not to arouse law enforcement interest (less than $500 per transaction). Use a disposable cheap android phone to host your bitcoin wallet and load only 1 identity on it. 

Create a fake identity that cannot be traced back to you. Buy burner phones cash. 

Remember, making one mistake will cause your anonymity to fall.

Protecting your Operating System

Use a secure Operating System with TOR

Your computer can be compromised to leak your identity. Even without being compromised, it leaks your identity all the time. Not only do you leak data but the unique setup of your computer leaks your digital fingerprint to any site that wants to track you (article here). If you want to test this yourself, check out Panopticlick. 

Hopefully you now agree that traditional operating systems aren't secure enough for the purposes of anonymity. You will need an Amnesic Incognito Live System called TAILS. This is a free operating system that you boot from a USB key that is fresh everytime you use it and doesn't leave any forensic traces on the machine it was used on. 

Tails also routes all internet traffic through TOR or I2P (use TOR). So you will use the Invizbox Go to tunnel to Switzerland and then you will use Tails with TOR to get to the dark web.

Tails is built for privacy and has a specially designed browser to minimize tractability. Ensure you follow the instructions to double check the integrity of the file you download. You will then need 2 fresh USB keys to built the final Tails USB bootable system.

You will have to make sure you laptop is compatible.

Protecting your transmission

Secure email

If you are going to use email, then make it as secure and anonymous as possible. Use a free Potonmail account (review here) via TOR. 

Anonymize your style - Stylometry

Well funded threat actors and nation state intelligence are able to identify people using stylometry. This is a technology that analyzes your writing style and then uses this knowledge to de-anonymize your content on darknet sites. 

Think of stylometry as a digital fingerprint built against your writing style (how to evade stylometry) . You may also want to checkout the Anonymouth tool  from The Privacy, Security and Automation Lab (PSAL) Drexel University, Philadelphia PA. 

Using Anonymouth will allow you to engage online while minimizing the intelligence community's ability to perform stylometry on you.

Michael Moore should setup a TOR SecureDrop service

The best way to send information as a leaker is to use a TOR service hosting SecureDrop (create by internet privacy advocate Aaron Swartz). It is an encrypted dead drop used by journalists to collect info from whistle-blowers while protecting their identity. 

The Freedom of Press Foundation has taken over the project since Aaron's death and helps media organizations install and run the tool. the FPF is addressing all of the shortcomings of the original tool

Don't trust printed leaks

You may be thinking printing and mailing is the best option but it isn't. Many printers have a hidden feature which adds invisible identification to every printed page (see EFF article here). These "invisible" yellow dots allow intelligence agencies and police to track down which printer printed a document. Recently this technique was used to track down an NSA leaker when a picture of a leaked document was show by The Intercept and the NSA found out the document was printed on one of its documents.

If you are interested, you can read about this technique here. 

Conclusion

Simply following the basic instructions on the Trumpileaks website is irresponsible and dangerous. Ask yourself what would be the impact if the leak was tied back to you?  Are you willing to live with the consequences?

Even with strong knowledge and good security hygiene, perfect anonymity does not exist on the internet. If you are determined to leak, learn how to do it and take the above precautions but know there is always a risk you will be discovered.

360 degree videos are the new THING because they capture more of the experience you are trying to share. Facebook, Youtube & Twitter all support this new more immersive medium. So the question is "What's the best 360 degree consumer video camera available?" Good question considering your local BestBuy has over a dozen in store and on display.

Having tested about a dozen of them, the best one is still the Ricoh Theta S. 

Why the Theta S? First it is easy to use. You press that big button and it starts to record. It has built in WIFI that allows you to review the captured content or control the camera with your smartphone. Last but not least, it captures good quality video.

Video is good but not great

When buying one of these devices, it is important to understand that you will get good video but it won't be an ultra sharp crystal clear 4K video (like one coming from a mid priced DSLR). The video quality will be good and acceptable but the manufacturers chose not to go super high quality because the stitching would require too much horsepower. 

Some technical specs

So what kind of sensor does this little device have? It has 2 12 megapixel sensors and  ultrawide 240 degree lenses. The camera then processes these two inputs and automatically created one 14 megapixel video (at 1080p) that automatically hides the camera. 

Pair this 360 degree video with some kind of VR headset (even a cheap Google Cardboard) and you get wonderfully imersive video that feels like you are in the moment. You can move around and see everything. This means you (as the photographer) have to consider this immersive experience when taking the video. Be cognizant of how you are holding the camera. 

Let's talk quality of video

So the Ricoh Theta S produces some very good video with good color reproduction (even is low light situations). Using the smartphone app, you can tune basic settings like exposure compensation, shutter speed, ISO and go fully manual (which I don't recommend).

Video clips can be up to 25 minutes long. Let's be honest, you videos shouldn't be longer than this anyway.

Let's talk device in hand

The Ricoh Theta S is a slim device which means it is easy to hold even for people with smallish hands. It is thin and long and a bit thick (which makes holding the device easy and comfortable).

It has a nice easy to hold onto plastic surface that has good grip. It has a standard tripod mount on the bottom which means you can easily mount this to any tripod (including a flexible Joby Griptight).

The device is easy to use and allows you to quickly switch from 360 degree videos to 360 degree pictures and back. All without having to fiddle with finicky menus or having to use the smartphone app. You can turn WIFI on or OFF (WIFI sucks battery so turn it off when not needed).

Let's talk battery life

Richoh doesn't provide good information about battery life. Assuming you are using the device for videos and have WIFI tuned off, you can expect about 1 hour of use time on a single charge. The device does not have a removable battery so you'll have to charge it with a portable battery when in the field. 

It's a 360 degree video

The output from the device is either a JPG or MP4 file with metadata identifying it as a 360 degree video. You can upload this to Youtube, Facebook, Twitter or Flickr and it will identify the file appropriately and then perform all of the required processing in the background to make it immersive and navigable.

Each 1 minute of video consumes about 100MB of storage and if you transfer it via WIFI to your phone will take 3-5 minutes. During this time you have to leave the app open and therefore won't be able to do anything on your device (or you can transfer it via USB if you have a laptop).

The free Theta+ or Theta+ video apps let you edit videos and even create non 360 degree cropped output files. They are fairly basic but allow you to add text, music or trim the video length.

When possible, use a tripod (even a mini one) to hold the camera otherwise you are likely to see fingers in the shot as you press the recording button. Or use the smartphone app to start/stop recording.

It can live stream

The Ricoh Theta S can also live stream when connected to a desktop with the special Theta software loaded on it (Mac and Windows). To enable live streaming you "Press the shooting mode button and power button of the camera together". 

You can live stream your 360 degree masterpiece to Youtube or Facebook. You may want to add the free OBS Studio app to the streaming mix.

Important considerations

• First is the price. At roughly $350US it isn't a cheap product and it can't be your main or only recording device. 
• It doesn't shoot in 4K. Considering most people will be viewing this content on VR visors, smartphones or in web browsers, this should be a major problem but it is important to remember.
• The built in 8GB of storage (no SD Card support) is annoying. It's major competitors (Nikon Keymission 360, Samsung Gear 360 and Insta360 all accept nano SD cards).
• Without a removable SD card, you also can't just "pop out" the card and transfer data at super fast speeds using a USB card reader.
• If you edit the 360 pictures, some editors will strip the 360 degree marker from the metadata and the uploaded sites won't know that it requires special handling. You can add this back but its a pain.

Conclusion

If you want to buy an affordable, easy to use 360 degree video camera, the Ricoh Theta S is the one to buy today. It offers the right combination of quality, price and features. With everything said and done, it is still early days and the experience still isn't perfect.

I wouldn't recommend my parents go out and buy this. Not yet. Not right now. If you have a desire for 360 degree video then go out and get one. You won't be disappointed as long as you remember it's not a mass market product yet.

For John and Jane Doe, the technology still needs to mature and improve a bit.

2017 is shaping up to be a busy year for Information Security professionals. The last major hack was HipChat from Atlassian. Surprisingly most consumers still "don't care" about their data security and millions have bad security hygiene.

Visualizing the hacks

To make the data more palatable, firms have tried to create visually appealing representation of these hacks. The first is called the World's Biggest Data Breaches and provides a nice easy to understand list since 2004. 

Hovering your mouse over one of the bubbles provide a general summary regarding the breach.

Clicking on the bubble give a short description about what was taken.

Finally clicking on this information card takes you to a news article regarding the breach.

Who is attacking who (now)?

Cyber is the new attack space and people are attacking each other all the time. How do you visualize this constant barrage of attacks? Using a pew pew map (as we call it in the industry). It's called a pew pew map because one of the most used services adds a little pew pew sound to the attack map if you want.

It's important to know what these maps show and what they do not show. It is impossible to show all attacks in real time across the internet. Each of the companies providing these types of maps uses its own collection techniques and it is an attempt by them to show are realistically as possible what their tools are seeing. Their data could be based on customer site equipment they manage, honeypots (decoy systems used to gather information about attacks) and general monitoring of the internet. No one company has an all encompassing view and none of these should be considered as the absolute truth.

The grand daddy of this type of free attack mapping service is IPViking. This is probably the favorite most viewed free attack map on the internet. For each attack, they show attacking organization name, internet address, target city and target service. As I write this, the service seems to be down so I am not able to add a visual representation of it but it is worth checking out.

FireEye is the 800lb gorilla when it comes to incident response (since they bought Mandiant) and they have their own free attack map. The FireEye map is fairly basic with limited refresh and limited supporting data but it is still clean and easy to understand.

The next map comes from Arbor Networks. Arbor powers the network protection tools for many large national carriers and says their map is fed from 270+ ISP customers. What's unique about the Arbor offering is that it allows you to go back in time (to 2013). Additionally the arbor tool provides neat information (such as type of attack, port, unusual traffic, etc).

The OpenDNS map (Cisco) isn't something I use often but it is visually appealing so here it is for your viewing enjoyment. 

And of course there are many many many more on the web. 

Who got hacked in 2017

2017 has started with a bang and hopefully it isn't a sign of things to come. here are some of the more interesting ones:

1. Washington school of medicine - A Washington School of Medicine employee is believed to have fallen victim to a phishing attack that may have compromised 80,270 patient records. 
2. Intercontinental hotels group - IHG which owns prime hotel brands like Crowne Plaza, Holiday Inn and many, suffered a data breach on its payment processing systems which may have impacted 1,200 hotels. 
3. Arby's - It looks like the chain was infected with a Point of Sales malware that may have stolen information from up to 355,000 credit and debit cards. 
4. Saks Fifth Avenue - Buzzfeed reported that the chain may ave inadvertently exposed private customer information to the internet. They provided a snapshot of the information as proof.
5. Free Application for Federal Student Aid - An IRS website designed to help students apply for student aid was "attacked" and the tax information of up to 100,000 taxpayers may have been taken. As I write this, the IRS believes 8,000 fraudulent returns were already files costing them $30M. 
6. E-sport entertainment Association - On December 30 2016, ESEA issued a warning to its members after it discovered a breach. OVer 1.5M people were impacted by this breach. Information included username/encrypted password,  email address, date of birth, zip code, telephone number, website, steam ID, XBOX ID and PSN ID.
7. Dun & Bradstreet - D&N found its marketing database with 33 M corporate contacts shared across the web in March. The company claimed it was not breached but likely one of it;s customers, who had bought the list, probably lost it. It contained information for millions of employees in companies like AT&T, Walmart, CVS Health and many more.
8. Chipotle - The burrito restaurant posted a Notice o Data Security Incident to its website advising visitors that it had detected suspicious network activity in a system that supports in-restaurant payment processing. Information is scarce since their investigation is ongoing but this is the latest show to fall so far this year (April 25 2017).

What can you do?

A message to all consumers is that you are responsible for your data protection. If you are sloppy or careless, you will be impacted and you will have no one to blame but yourself. 

1. Use a password manager like KeepassX, Lastpass or 1Password. [ Simplify password management [for free] with LastPass ], [ Protect your online accounts from compromise before its too late ]
2. Generate long impossible to guess unique passwords for each internet service you register for [5 best Random Password Generators ] 
3. Enable 2 factor authentication on any site that supports it. A list of sites can be found here. An article comparing Authy to Google authenticator can be found here. 
4. Clean up your social media authorizations regularly using this tool. Make sure only apps and services you currently use have access to your social media networks.
5. Deal with firms that prioritize your privacy and security. Using any free email system means you are giving the provider access to your email so they can profile you and target advertising. This means they can access your data and if they have a rogue employee or hacked, those too will have access to your unprotected information. ProtonMail is an example of a paid provider that does not have access to your information unencrypted so even if they are hacked, hackers will not get anything usable. Instead of using Dropbox or OneDrive, check out SpiderOak for encrypted online storage. Like Protonmail, they store your information in encrypted form only and if they are hacked, any data gained by the attacker would be useless.
6. Use fake information - Sites often ask you for personal information when you register so they can challenge "you" when you need a password reset. The problem is many of the questions have easy to find answers (like your mother's maiden name) and if one of these services is hacked, the attackers can use this information on other sites. I recommend providing fake answers to these questions and make them unique to each site. Use your password manager to store the answers. 

TL;DR: I have tested dozens of headphones over the last 12 months and the QuietComfort (QC-25) 25 is still the most comfortable headphone with excellent noise cancellation and good sound reproduction. 

Comparing the QC-25 to the QC-35

The QuietComfort 35 (QC-35) is the wireless bluetooth version of the QC-25. The QuietComfort 35 (QC-35) offers slightly better noise cancellation and a slightly different noise profile. If you need bluetooth (iphone 7 or iphone 7 Plus) then get the QC-35 otherwise I would recommend getting the cheaper QC-25.

Not for everyone

Noise cancellation headphones are not ideal for people that need noise-cancellation sometimes. Noise cancellation headphones are not a replacement for regular headphones. If you need good all around headphones then don't get this (or any other noise cancelling headphone) or you will be disappointed. 

The golden rule is that noise cancellation headphones add about $100-150 to the cost of headphones and typically deliver worse overall sound quality when compared to non noise-cancellation models. I can't stress that enough. 

Noise cancellation works extremely well for low frequency (machine style) sounds like train on a track or airplane engine noise. They don't work as well for higher frequency sounds like voices or crying babies on a plane.

If you only need noise reduction occasionally, then you may be better served by a good pair of sealed headphones. You would get better sound quality and would probably pay a lot less.

Who should buy the QC-25

I just wrote 4 paragraphs of who shouldn't buy the QuietComfort 25 (Qc-25). It is important to note that anyone who is a frequent traveler (plane or train) will definitely benefit from these headphones. By making your travel a little bit quieter, you will arrive less stressed and more refreshed.  

Quietcomfort 25 (QC-25) versus in-ear headphones

The best question I need to address is the eternal debate between these types of on-ear headphones and in-ear headphones. The truth is that there is no golden rule that is right for everyone.

Some people opt for in-ear headphones because they are smaller and lighter. Many people who wear glasses also prefer in-ear headphones because their frames may prevent the headphones from sealing properly this allowing the dreaded noise in.

Bose, likely due to owning several important noise-cancellation patents, currently makes our picks for the best over-ear and best in-ear noise-cancelling headphones. Which one should you choose? There’s no simple answer, as it depends on what you’re looking for.

The third reason I have found some travelers prefer in-ear headphones is that they find them better to sleep with on flights.

The fourth reason is that some people find that on-ear headphones make their ear hot after extended use. 

The fifth and final point is on noise cancellation for low frequency sound. From a sound quality, the Bose noise cancelling headphones (QC-30) tend to reduce low frequency noises a little more and offer some noise-isolation which makes things just a little bit quieter. Mid and high sound reproduction is always better with bigger headphones for the QC-25/QC-35 takes the crown here.

Additionally some people just can't stand having anything inserted into their ears. They find it annoying and bothersome. Obviously if you fall into this category, go with the QC-25/QC-35.

Conclusion

If you are looking for amazing sounding, super comfortable wired on-ear noise cancelling headphones then get this. The sound is good enough, it is comfortable (even on a long haul Toronto to Hong Kong flight) and it fits in a relatively smallish case for easy carry.

It offers good low frequency sound reproduction (40Hz or below) and the rest is a little muddied (which is normal for noise cancelling headphones). You can use the QuietComfort 25 even when the batteries die (which is a nice upgrade from previous models) but the sound is pretty bad but at least you aren't stranded witout entertainment. 

If you need bluetooth because you can't live with wires or your smartphone got rid of the headphone port (looking at you Apple), then go with the QuietComfort 35 (QC-35).

Why would anyone use Protonmail instead of Gmail or Hotmail? SECURITY

Email is inherently insecure and if you are a political dissident whose online communications can mean the difference between living and dying, don't use email. For everyone else looking for an easy and secure email solution, keep reading about Protonmail.

We use email because we don't have a choice and everyone agrees it won't be displaced tomorrow.

The other major issue faced by secre service providers is ease of use. PGP is a good example of strong unbreakable email encryption that never became mainstream because it was simply too complicated for the mortal man. 

There is always a tradeoff between usability and security, The difficulty is finding the right balance.

So what does Protonmail offer?

The bright scientists behind Protonmail understand fine balance they must find between usability and security. Make the product too secure and no one will use it (aka bankruptcy) or make it extremely user friendly but not secure (become a me too email provider). 

They have chosen to implement good enough security which makes encryption generally accessible to the masses while protecting against unauthorized government seizure or mass surveillance.

What are the weaknesses of Protonmail?

Read my blog post about the Vault7 leaks (here) and you will realize that when government is stifled  by strong encryption (Whatsapp, Signal, etc), they compromise the endpoint and extract the information pre/post-encryption. 

Protonmail does not protect you if your endpoint is compromised. It would be unreasonable to assume any secure online service could protect you from this type of attack. if you want maximum endpoint security, learn about real security protocols and use a secure operating system like Qubes OS.

Nation state level man in the middle attack. Protonmail implements all of the controls to prevent a common man in the middle type of attack but a nation state actor with the ability to redirect your web traffic and generate real "fake" TLS certificates could theoretically intercept your traffic, ask you for your username/password then use those to access your account and decryption keys. Let's be clear that your garden variety hackers (even those that are extremely skilled) won't be able to pull this off. This would require skills, money and huge technical capabilities to reroute internet traffic and generate encryption certificates.

Intelligence break in. With all the talk about government backdoors, the third major weakness of Protonmail (and all other secure services products you did not write) is the fear that a nation-state actor would somehow infiltrate Protonmail and then implement "special" code that sends bad encryption code to the users thus allowing the threat actor to access unempted versions of the messages. Protonmail has stated that they have multiple controls in place to protect against this type of attack. They scan servers for unauthorized code changes.

Some nice features of Protonmail

Protonmail is a Swiss company based in Switzerland. Any government request for information would have to be done there using Swiss law, which is very protective of private information (USA cannot issue a National Security Letter to force the company to turn over information and hide the request from the user).

In the rare situation that a government were to spend the money and convince the Swiss court to compel Protonmail to turn over user information... Protonmail uses "Zero Access Cryptography" which means they do not hold the encryption keys and therefore can only turn over encrypted information. 

Protonmail supports (and you should use) 2-factor account authentication. This means that in addition to something you know (your username and password), you need something you have (a time based authentication code generated by an authentication app Google Authenticator or Authy.)

If you want to send something more secure than normal email to a non-Protonmail user, you can create a Protonmail hosted message that requires a password to open (obviously don't send the password using email) and can even have a fixed expiry date. 

Protonmail stores user based encrypted authentication logs. This means you can see when your account was logged into and from which IP address. You can turn this off it you don't want this captured. Protonmail does not capture or log your IP anywhere else.

The ProtonMail service has internal authentication logs. When I say internal, I mean that these details are available only to the account owner, and are recorded and encrypted with all the other data inside the account. As I mentioned earlier, Proton Technologies AG doesn’t log IP addresses, but this information can be logged inside your web client session. If you don’t need them, just wipe the logs and switch to basic mode which doesn’t record info on the IP addresses you logged in from.

Basic stores login dates / times only. Advanced also stores the IP Address from where you logged in. The choice is yours. You can always download this information or secure erase it.

No user profiling. When you use a free service, the provider is conducting deep analysis and creating a deep analysis about you. Protonmail doesn't do this since everything is encrypted.

They encrypt all non Protonmail emails received immediately upon ingestion. 

This is good for security but limits what they can do for SPAM control. In a blog post, they explain what they do to help fight SPAM:

1. They check the IP address of the incoming SMTP server against known blacklists
2. They pass all messages through their own Bayesian filter marking suspicious emails as SPAM
3. They generate a checksum for each email message and verify this checksum against known SPAM messages
4. They verify the authenticity of the email using standard protocols (SPF, DKIM and DMARC)

Sending secure emails to non Protonmail users

I alluded to this earlier but wanted to restate it here in it's own section since I would otherwise receive a dozen emails asking this question. 

When sending emails to non-Protonmail users, you can:

1. Send an un-encrypted standard email. This is what every other email provider does.
2. You can use the lock icon in the compose window which asks for a password (See screenshot earlier in this post). In the case this is set, the recipient will receive a message with a link to a Protonmail web interface and he/she can use to  enter the provided message password and see the email. 

Free versus paid

Protonmail offers a free basic tier and I recommend everyone start with this level. If it meets your needs, you should consider upgrading to a paid tier which offers custom domains and more storage. 

Conclusion

I love Protonmail and am moving my private (not public) email address there. I like the security it provides and the open philosophy they espouse. I say use them if you want something more secure and private.

You may also want to read my article about SpiderOak. SpiderOak is a Google Drive, Microsoft OneDrive or Dropbox alternative with strong trust no one encryption.

Right or wrong, Edward Snowden has become the poster child for online privacy. He has been adamant that anyone interested in true online security should stay away from the name brand online services : Dropbox, Facebook, Google, etc.

Trust No One Security

Before we talk about SpiderOak, this is a good time to write about TNO (Trust No One Security model). This is a philosophy that dictates that anytime security is needed, strong encryption must be applied and the keys to that encryption must be kept in the hands of the user. 

As an example, anytime you conduct online transactions with your bank, you connection is encrypted using end-to-end encryption (TLS) but the keys are held by the bank and created by a certificate authority. Either of those 2 can therefore intercept and decrypt the traffic if they have malicious intent. 

In the TNO model, the provider does not hold the keys to the kingdom and cannot therefore decrypt or access the data in its native format. 

Anytime a provider has the capability of resetting your password, it means it is NOT TNO and it means the provider can access your data. If they can access your data, that means a hacker may also be able to compromise their systems and access your data.

What is SpiderOak?

Unless you are a techie or a security person, you probably haven't heard about SpiderOak. Short of rolling your own cloud service, SpiderOak is the most secure commercially available TNO cloud service around.

The key to the magical security they provide is that your client encrypts all of the data on your computer before being sent through the security hostile internet to SpiderOak. They cannot see the content and if you love you password (aka encryption key), you have to create a new account and restart from scratch.

So you get Dropbox, Google Drive and Microsoft OneDrive like features, without having to trust the provider. 

Why is TNO important?

Governments are becoming very hostile towards individual privacy. The Snowden leaks have shown that the secret FISA courts allow law enforcement to compel the turnover of user data without having the ability to notify them. With most cloud storage companies, this means they (or a hacker) can gain access to your data and then do with it whatever they want.

With SpiderOak's encryption model, they can turn over your encrypted data but they do not hold the decryption keys. The encryption is strong enough to make forced automated decryption unpractical. This means they would have to secure a court order and force you to hand over the decryption keys.

If a hacker does compromise the SpiderOak servers, the data is once again encrypted and therefore unusable by these bad actors. 

It also means they are not and cannot use your data to profile you. 

SpiderOak features

So you are convinced they offer the kind of security you want. What about features you say.

First and foremost, they offer automatic (on change) backups. This is a set and forget model that works in the background.  There is no file size limit. There is no file type restrictions. No bandwidth control or throttling on their end (some providers slow down your connection if you try backing up large amounts of files to protect the responsiveness of their service for their entire user population). 

It can backup mapped (external USB connected) drives. 

Any issues with SpiderOak?

Files are encrypted on your device and SpiderOak cannot access them unencrypted so they are unable to offer offline file delivery (sending you a hard drive with your files). 

Anytime my computer is disconnected for a while, Backblaze sends me alerts notifying me it hasn't been able to backup my files in XX days. SpiderOak has no such notification mechanism. They could implement this even with the TNO model.

During my testing, I simulated an unreliable WIFI connection to see how the client would react and eventually it hung. Even when the connection became stable and on for 8+ hours, the client stopped backing up. Rebooting didn't help. I was forced to uninstall the client, reinstall it and create a completely new backup set. This was a bit annoying. The doubly annoying issue was that support is only available through email. Support seems to be available during standard north american business hours and usually response takes 5-8 hours.

Another issue is that although they offer mobile clients (IOS and Android), those clients are read-only (aka you can't upload content). SpiderOak did say they are working to add this functionality but they didn't provide any timeline. "Currently, you are unable to upload documents using the Mobile Application. We are working on including this feature in a future release." (mobile info)

There is no way to identify a connection as "metered" and tell it not to backup using that connection (like a pay per use WIFI LTE hotspot).

Not a technical issue but the pricing is a bit more expensive than I would have hoped. I am willing to pay more for security but wish they offered more storage with each paid tier. 1TB of storage on Google and Dropbox costs $9.99 a month.

My experience

Overall my experience was good but not great. Because plans are capacity based, you can sync as many devices you want. Because everything is encrypted, there are no file type restrictions. 

Versioning worked well. They seem to use a bit level delta storage function which means you aren't consuming space for the entire file with every version.

SpiderOak provides tones of information about security. 

Files can only be permanently deleted from the original device they were uploaded from. This is a great feature.

You can right click on any folder (or file) in Windows explorer or the Mac finder and ask SpiderOak to back it up. Easy. 

You can download backed up files to any computer via the web interface.

Conclusion

There are small annoying things I would like them to solve but no major show stoppers. My biggest gripe is not being able to upload via mobile or Chromebook. I really wish they would solve this. 

Outside of that, I like everything else I have seen and think they should be your go to provider for safe and secure online storage.

Related articles:

• Bruce Schnier on TNO here. 
• Steve Gibson on TNO here.

Each year, I test hundreds of new and different items that compete to find a place in my everyday carry kit (EDC). To be clear, my EDC is build for the urban environment and not wilderness survival. 

4 years ago, I tested and fell in love with the Glo-toob lights and it has been part of my kit ever since. I just realized I have never written about it an wanted to share it with you. 

Why not use a cheap glow stick?

Anyone that is building a serious EDC kit knows that you need redundancy. My main everyday carry (EDC) flashlight is the OLight S15R baton with a rechargeable battery. My secondary flashlight is the Ti3 by thrunite (which uses easy to find AAA batteries). there are times when you need a glow stick type of light and for those times, I rely on the Glo-Toob.

Why not use a cheap $5 glow stick? The typical (even high quality) glow stick or Chemical light stick is first and foremost not environmentally friendly (it is disposable and an environmental pollutant). Anyone that has carried them knows that they leak (which also means it won't work when you need it). Plus once you activate it, that's it.

Most of the time, I need it for 5 minutes, 60 minutes or even 180 minutes but that's it. With a chemical glow stick, once you activate it, it's end of life. 

Why I chose the Glo-Toob

I knew I wanted something else as my everyday carry glow stick alternative, but it took several tries until I found the Glo-toob.

First thing you notice is the solid construction (it can withstand the rigors of constant travel and being bumped in a pocket, bag or briefcase). It's waterproof to 200 feet (60 meters). I have taken it night scuba diving to 135ft and have never had issues but it's most common use is in rain or snow and it has worked flawlessly.

It is a small rounded cylinder which means it is small enough for everyday carry. This is something you overlook until you start carrying it all the time. Small and light are critical and the Glo-toob is 10/10 on both points (weights 34g with the battery).

It can be powered with different types of batteries (depending on the model) but I chose the AAA powered one (Original GT-AAA). As I travel and carry this with me, I need to know that I can buy the required power source for my gadgets easily and AAA batteries are available in every street corner anywhere in the world.

The last point was that it had to provide a 360 degree stream of light (similar to a glow stick), which it does. 

Using it

I own 2 GT-AAAs: one with a white LED and one red a one. It has 3 modes (you activate by twisting the cap on and off) high intensity (100%), low intensity (25%) and rapid strobe. Other models offer up to 11 modes and I saw a Chinese competitor with 21 modes but... and the but here is that simple is better. If I need to use this in an emergency, I don't want to fiddle with my EDC gear. By having only 3 modes, choosing the right one is simple.

In low power mode, it is a great long lasting marker light that you can strap on a dog collar or backpack. In high powered mode, it is a great emergency light (during a power outage) or a light you can give the kids without worrying about it breaking.

I have used it while camping to mark our campsite. I have used it when I had to stop on the side of a busy highway at night as a safety beacon. I have used it as a market when canoeing at night. I have used it during power outages and once when  I was stuck in a stopped elevator.

I have used it in high powered mode for about 6-7 hours (with a single AAA battery).

Negative comments

When working on a review, I scour the internet looking for comments (positive or negative) from other users. In this case, I saw a handful of comments touching similar points and I wanted to address these ones:

• disappointed by the amount of light : this is not a flashlight replacement. If you buy it thinking it is you will obviously be disappointed. This is a replacement for a chemical glow stick.
• leaked during a dive : With over 85 dives under my belt, I can tell you that I have lived through all kinds of equipment failure at depth. That's one of the reasons everything is done in twos. You never dive alone, you have 2 regulators, etc. Anytime you are in a remote location (whether on land or in the water), you need backups for all your primary systems. Failures happen either because the gear is defective, improperly maintained or improperly used. 
• worked only a couple of times : I have 2 of these lights and other friends have bought them after testing my units. My units have been in my EDC kit for 4 years now and even after diving, camping and being abused in torrential rain and deep snow, they perform flawlessly. Of the 10 or so units owned by friends and acquaintances, none have failed. It's important to realize that any electronic product can fail and buying it from a reputable reseller (like Amazon) means you have someone to contact if you do need a warranty replacement. 

The Chinese knockoffs

Search AliExpress.com for Glo-toob, EDC warning light or a combination of these types of keywords and you will find hundreds of listings selling these types of tubular lights. I ordered 3 of them ranging from 8.99-14.99 and most ended up being branded EDCGear. 

These are cheap knockoffs and you can feel it immediately. The plastic is light and flimsy. The units have cheap O-rings and none of them lasted more than a couple of uses. The light quality wasn't as good. Build and construction weren't as good and all 3 died immediately when I performed the sink dunking water test (even though they were marketed as waterproof). 

Sometimes the Chinese versions as just as good but this is not one of them. Save yourself the frustration and buy the original from a retailer that will stand behind the warranty.

Conclusion

Priced at around 4-5 times the price of a high quality chemical glow stick, these Glo-toobs are a great investment and will quickly become part of your EDC, camping and survival gear. I love them and recommend them.

It seems every time there is a terrorist attack, governments around the world use it as an opportunity to chip away at encryption. The latest attack was the UK Home secretary, Amber Rudd, who called WhatsApp's end-to-end encryption "completely unacceptable". She then adds that there should be “no hiding place for terrorists”.

Encryption is publicly known mathematics and there is no way to put the "cat back in the bag". If encryption is banned for law abiding Joe and Jane public, it makes everyone less safe but terrorists will simply use their resources and public encryption libraries to write their own encrypted programs and do their evil work. 

Minister Rudd's comments are the clearly from someone that doesn't understand the technology and how it is the fundamental underpinning of our entire technological society. Anytime you perform online banking, file your taxes with the government online or request a government service, you are using an encrypted channel of communication called TLS. It is the technology that makes using sensitive services on the internet possible. 

Banning encryption would mean no more online shopping, banking or anything else that requires privacy. So banning would not be accepted by our always online generation.

Government would counter this argument by saying they "simply" want a back door and not a ban on encryption. A backdoor would allow intelligence and police to more easily perform investigations while keeping general encryption alive. 

As a security professional, let me be clear that this is simply not possible. The minute a backdoor is implemented, it becomes a vulnerability that threat actors would attempt to find and exploit (organized crime, nation-state actors, foreign rogue governments, etc).If the Snowden and Vault7 leaks have shown us anything, it is that even government has issues keeping secrets. The reason encryption works is that it is based on mathematics and remains perfectly secure even though all the protocols, formula and applications are well know. 

Creating a backdoor for the good guys means you are also creating it for the bad guys. 

The Vault7 leak showed that governments have already solved the Whatsapp encryption issue by hacking the end device. When hacked, government can see pre/post encryption messages and therefore they are able to get the information they need. Yes it requires more work but every job has its challenges. This would bypass the encryption of Signal, Whatsapp or any other encrypted communicator.

Terrorism is a bad thing that affects as all. It is the worst of humanity being manifested because of hatred and misunderstanding of one another. Politicians are targeting encryption because it is the easy target but it isn't the right one.

As a geeky security professional, I will always be able to protect myself by rolling my own encryption, but the general population won't. Considering everything about us can now easily be stolen from our smartphone, I'm worried about any weakening of encryption. Just think about everything stored on your device (location history, contacts, social networks, where you have been and what you have done, health information, etc) and how you would feel if someone had access to all of it without your knowledge. 

We need technically knowledgeable politicians that will fight the good fight (against terrorism) without trying to neuter good wholesome public protecting technologies. It's like saying we will ban pools because there were 3,536 fatal non-boat related drownings in 2015 (there are over 8M pools public and private in the USA). We can't let a small batch of rotten apples contaminate the entire batch of cider.

The media loves stories about how Google, Facebook and Microsoft are tracking users and profiling them. These stories sell papers and draw in eyeballs. What they don't tell you is that your ISP actually has more visibility into what you do online than any of those giant service providers. 

If you don't see what the big problem is, read this article : How Target knows you are pregnant through data analytics. You may not realize it but the bread crumbs you leave behind are incredibly valuable to marketers, insurers and anyone else interested in using psyops to trick you.

Choose your ISP wisely

The most important fist step is choosing an ISP that will stand up for user privacy. When I moved to Toronto, I went with Teksavvy that seemed to have a more open corporate policy regarding the protection of customer information and at least says they try to limit data collection.

Choose an ISP (if possible) that has policies protecting you.

HTTPS

I have been extolling the virtues of SSL/TLS for 10+ years and Google gave the machine a kick in the but when it started favoring secure connection in its search results. Anytime you see https and that green lock icon near the URL, it means all traffic to and from that site is encrypted and cannot be modified, copied or eavesdropped on. All very good things.

A group of small to medium sites still didn't want to go through the cost and hassle of implementing TLS but a consortium called Let's Encrypt made the process easy through automation and free. Large internet site providers like Wordpress and Squaresapce jumped on-board and offered this as a checkbox addon to any site they host. So now there i no excuse.

As a user, you have to remember to force the connection to the secure https protocol (since most sites still support both and not all automatically redirect to the secure version.) Enter the free browser plugin called HTTPS Everywhere. 

HTTPS Everywhere

EFF makes this browser extension so that users connect to a service securely using encryption. If a website or service offers a secure connection, then the ISP is generally not able to see what exactly you’re doing on the service. However, the ISP is still able to see that you’re connecting to a certain website. For example, if you were to visit [www.eff.org/https-eve...](https://www.eff.org/https-everywhere,) your ISP wouldn’t be able to tell that you’re on the HTTPS Everywhere page, but would still be able to see that you’re connecting to EFF’s website at https://www.eff.org

While there are limitations of HTTPS Everywhere when it comes to your privacy, with the ISP being able to see what you’re connecting to, it’s still a valuable tool.

If you use a site that doesn't have HTTPS by default, email them and ask them to join the movement to encrypt the web.

VPNs

In the wake of the privacy rules repeal, the advice to use a Virtual Private Network (VPN) to protect your privacy has dominated the conversation. However, while VPNs can be useful, they carry their own unique privacy risk. When using a VPN, you’re making your Internet traffic pass through the VPN provider’s servers before reaching your destination on the Internet. Your ISP will see that you’re connecting to a VPN provider, but won’t be able to see what you’re ultimately connecting to. This is important to understand because you’re exposing your entire Internet activity to the VPN provider and shifting your trust from the ISP to the VPN.

In other words, you should be damn sure you trust your VPN provider to not do the shady things that you don’t want your ISP to do.

VPNs can see, modify, and log your Internet traffic. Many VPN providers make promises to not log your traffic and to take other privacy protective measures, but it can be hard to verify this independently since these services are built on closed platforms. For example, a recent study found that up to 38% of VPN apps available for Android contained some form of malware or spyware.

Below, we detail some factors that should be considered when selecting a VPN provider. Keep in mind that these are considerations for someone who is interested in preventing their ISP from snooping on their Internet traffic, and not meant for someone who is interested in protecting their information from the government—a whistleblower, for instance. As with all things security and privacy-related, it’s important to consider your threat model.

• Is your VPN service dirt-cheap or free? Does the service cost $20 for a lifetime service? There’s probably a reason for that and your browsing history may be the actual product that the company is selling to others.

• How long has your VPN provider been around? If it is relatively new and without a reliable history, you’d have to trust the provider a great deal in order to use such a service.

• Does the VPN provider log your traffic? If yes, what kind of information is logged? You should look for one that explicitly promises to not log your Internet traffic and how active the VPN provider is in advocating for user privacy.

• Does the VPN provider use encryption in providing the service? It’s generally recommended to use services that support a well-vetted open source protocol like OpenVPN or IPSec. Utilizing these protocols ensures best security available.  

• If your VPN provider uses encryption, but has a single shared password for all of the users, it’s not sufficient encryption.

• Do you need to use the VPN provider’s proprietary client to use the service? You should avoid these and look for services that you can use with an open source client. There are many clients that support the above-mentioned OpenVPN or IPSec protocols.

• Would using the VPN service still leak your DNS queries to your ISP?

• Does the VPN support IPv6? As the Internet transitions from IPv4 to the IPv6 protocol, some VPN providers may not support it. Consequently, if your digital device is trying to reach a destination that has an IPv6 address using a VPN connection that only supports IPv4, the old protocol, it may attempt to do so outside of the VPN connection. This can enable the ISP to see what you’re connecting to since the traffic would be outside of the encrypted VPN traffic.

Now that you know what to look for in a VPN provider, you can use these two guides as your starting point for research. Though keep in mind that a lot of the information in the guides is derived from or given by the provider, so again, it requires us to trust their assertions.

Tor

If you are trying to protect your privacy from your Internet company, Tor Browser perhaps offers the most robust protection. Your ISP will only see that you are connecting to the Tor network, and not your ultimate destination, similar to VPNs.

Keep in mind that with Tor, exit node operators can spy on your ultimate destination in the same way a VPN can, but Tor does attempt to hide your real IP address, which can improve anonymity relative to a VPN.

Users should be aware that some websites may not work in the Tor browser because of the protections built in. Additionally, maintaining privacy on Tor does require users to alter their browsing habits a little. See this for more information.

It’s a shame that our elected representatives decided to prioritize corporate interests over our privacy rights. We shouldn’t have to take extraordinary steps to limit how our personal information can be used, but that is clearly something that we are all forced to do now. EFF will continue to advocate for Internet users’ privacy and will work to fix this in the future.

Since the tightening of US border entry rules, readers have been emailing asking:

Canadian readers (and non-US) travelers to the US wanted to know what the new tighter controls mean when crossing into the US. 

The first important truth most travelers need to accept is that "entering another country is a privilege and not a right". Although the controls may have tightened a bit, they haven't changed materially. Having visited over 40 countries in the last 30 years, I accept the fact that anytime I cross a national border, I am subject to the controls of that country and prepare accordingly.

The cardinal rule of information security is "know your risk". The first step is to determine all your risk factors (status entering that country, data you will be traveling with, travel history, your background, travel risk level of the region you are entering, etc).

Before you leave

1. Minimize the amount of information you travel with. People often forget the treasure trove of information they carry on a daily basis. Your smartphone (as an example) contains all your contacts, login information for all your social networks, health information, GPS location history, networks you have connected to, etc. Anytime you cross a border (not just the USA but this applies to any national border crossing), the agents are tasked with protecting that county and may "take" any information you are entering the country with to determine your traveler risk. Do not take anything you wouldn't want to hand over.
2. Minimize the amount of devices you travel with. This may sound stupid but I have seen business travelers cross the border with a personal smartphone, work smartphone, a personal tablet, a work tablet and a work laptop. Understand that anything you enter the country with can be seized or taken  for analysis. With all the Snowden, Vault7, Wikileak dumps, its clear that if a border agent touches your device, you shouldn't use it anymore. You should assume it has been permanently hacked. Where possible, do not bring devices with you. If you do, try to bring "disposable" devices you wouldn't mind throwing away if need be.

What should I do before crossing the border?

1. Remove all information from your devices that you do not absolutely need to bring with you.
2. Anything you could need, try to move it to the cloud and securely delete your local copy.
3. Delete any apps from your smartphone for which you don't want to hand over login credentials to.
4. If you use a password vault solution synchronized with the cloud, you may want to delete that (Lastpass, 1Password) and reinstall it after you enter the country.
5. If you use a cloud synchronized 2-factor authentication solution, you may want to delete that (Authy) and reinstall it after you enter the country.
6. If you can, leave the device at home. If you have a work phone, bring it with you but leave your personal back home.  Instead of bringing a tablet, try to load your content on the smartphone.
7. If you can, travel with the least complex device possible (chromebook instead of a laptop or tablet instead of a laptop)
8. Ensure device encryption is turned on.
9. Turn off your devices before crossing the border.
10. Switch the unlock mechanism from fingerprint to password based.

At the border

Never lie to a border agent. Never! Ever! Ever!

Any foreigner that refuses to comply with a border agent request (any border not just the USA) will likely be turned away and sent back to their home country. In extreme cases, you can even be bared from entering that country again.

This means that you are "forced" to comply with any request made by the border agent. If asked for your device password, you can provide it and cooperate or defy them. If you defy the request, they will likely take the device and send it for investigation while denying you entry (maybe even keeping you for secondary questioning). Either way, once you "lose control" of your device, you should assume it has been permanently hacked and that a clean re-install will not make it trustworthy again.

They may also ask you for your social media login information. Even if you do not have the app installed on your devices, they know you have an account and can ask for the credentials. Never lie. Refusing to cooperate can cause you to be detained for additional questioning and given an entry ban.

What should I do while crossing the border?

1. Always be polite and respectful. Remember the agent is doing his/her job.
2. Never lie. Always be truthful. 
3. If asked to hand over a device or password, I would do it without putting up a fight. Once you are at the border, you have decided you are engaged and have to cooperate. 

After crossing the border

If your work device was accessed at the border, notify your company information security group immediately. 

If your personal device was accessed, you have to think long and hard about what you want to do. Know that there may be a permanent (un-removable) backdoor or tracker installed on the device. In some cases even a complete factory reset won't remove it. What do you want to do? In the security space, we recommend throwing the device away and buying a new one but this is a personal decision especially with a $1000 smartphone, tablet or laptop.

Also if they accessed your device or asked for your social media login information (username/password), assume they downloaded you social graph (all of your contact info and the contact info of your contacts). I would change all my social media passwords and double check my account information (email address, recovery phrases, telephone numbers, etc). Also notify your network that you lost control of your social media account and to be extra vigilant with requests and the information being shared with you. 

Other recommendations

If you travel to the US regularly, think about applying for a Nexus card (if you are a Canadian). Having a Nexus card means you have been deeply vetted and all of your fingerprints are on file. My experience has been that the Nexus has made crossing into the USA much easier. 

If you are a tech neophyte, take the time to read up on device security and security best practices. The truth is you are solely responsible for your privacy and security.