> And the Facebook example. Nobody paying attention expects a VPN service (or even Tor) to hide their identity if they login using their real name. That's just stupid.

A lot of users care about privacy, but have no idea how computer networking works. It's hard for these users to understand whether they're private or not. If you don't believe me, check out the tech support and recommendations over at old.reddit.com/r/vpn -- there's clearly a lack of knowledge about VPNs and computer networking. Probably once a week, someone will ask "How did [paid video streaming service) know I was using a VPN?" Or "X country can only spy on me if I have a VPN in that country, right?"

Users are all too clueless, sadly enough. And too lazy, as well. I do what I can, but it's a drop in the bucket.

I think the author's point is that the ads put out by lots of these VPN providers do suggest that they are a one stop shop to hide your identity.

He's right about the scummy advertising, but I think he goes a little too hard-core contrarian in the end by basically suggesting the only reason to have a VPN is for airport/starbucks wifi.

If we talking OPSEC, PIA of out, as any other with your payment info. You'll need to have few different anonymous VPNs and self hosted VPNs/proxies to make random chains. Pay by coins only, throwaway emails.

Huh?

No VPN service has my "payment info". Or at least, not any meaningful payment info. As you say, I use email accounts created through Tor, and pay with Bitcoin that's been mixed at least three times through Tor, using a different Whonix instance and a different mixer for each mix.

Sure, a lot of it may be parallel construction. We do know that the NSA shares with the FBI and other TLAs.

If your threat model includes the NSA or the like, VPN services are at best a minor hindrance. Possible options include Tor and "anonymously" using WiFi hotspots.

I only know of one fundamental fail for Tor: the relay-early bug that CMU exploited. The others have involved Firefox and Windows bugs. People using Whonix in Linux hosts, and hitting Tor through nested VPN chains, would have been safe from any attack that I've heard of. But then, maybe I just haven't heard of the juicy ones.

I've tried the "anonymously using WiFi hotspots" approach. It's a pain in the ass. And in today's high-surveillance environment, I believe that it's a dumb idea.

It's true that VPN leakage is a serious risk. But you can use firewall rules to prevent DNS and traffic leaks. Or you can use VPN services whose client apps do that for you.

Also, I'm talking about desktop use. Doing any of this on mobile devices is a lot harder, I think. I'm not sure that I'd even bother.

The quip about someone being sure absolutely no traffic went out their access IP is that without extreme confidence, they won't be pushing their lawyer/team to scrutinize the chain of custody for the server logs, hinging their case on procedural grounds. Someone diligent enough to setup proper firewall rules is probably also forethinking enough to not go cracking random newspaper websites for fun.

And yeah in regards to criminal activity, I think it would be prudent to consider the NSA, specifically bulk processing of dragnet surveillance, part of the threat model in the modern age. It's very easy for the public narrative to focus on a guilt-implying needle in a haystack, regardless of how that needle was actually found.

It seems rival agencies (Chinese, Russian) should be interested in doing the same, or at least denying NSA this capability. I mean adding some exit nodes is not exactly expensive, seems like a low hanging fruit, doesn’t it?

Yeah, that's another argument. The NSA competes with its counterparts to own Tor infrastructure. And that competition prevents any one from owning enough to pwn users.

And it's no accident. Tor was designed that way.

Listen-only access is non-exclusive, and works for packet correlation attacks.

Security wise, we really need to be moving away from this instantaneous-datagram model.

Some people do. If that's true, all hope is lost ;)