Public Pastes
Pastebin PRO Accounts SPRING SPECIAL! For a limited time only get 50% discount on a LIFETIME PRO account! Offer Ends April 8th!
SHARE
TWEET

Untitled

a guest Mar 9th, 2015 728 Never
  1. In no order
  2.  
  3. 1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?
  4.  == Hide.me == >No, we don’t keep any logs. We have developed our system with an eye on our customer’s privacy, so we created a distributed VPN cluster with independent public nodes that do not store any customer data or logs at all.
  5.  == ShadeYou VPN == >ShadeYou VPN does not keep any logs. The highest level of privacy is a main mission of ShadeYou VPN. Everybody can read our Privacy Policy. To use our service only a username and e-mail are required. No personal or real data is required.
  6. == AzireVPN == >Nope, we keep no logs.
  7. == Cryptostorm == >None.
  8. == VPN Baron == >Our users share the server IPs making it impossible to link any user to a particular action. On the server, no traffic logs are recorded. We monitor only the number of simultaneous user connections on our network as whole, and do not link the user to a particular server. This helps us avoid infinite simultaneous connections from a single user.
  9. == NordVPN == >Do we keep logs? What is that? Seriously, we have a strict no-logs policy over our customers. The only information we keep is customers’ e-mail addresses which are needed for our service registration (we keep the e-mail addresses until the customer closes the account).
  10. == TorrentPrivacy == >We don’t keep any logs with IP addresses. The only information we save is an email. It’s impossible to connect specific activity to a user.
  11. == Mullvad == >No. This would make both us and our users more vulnerable so we certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users sharing addresses, both for IPv4 and IPv6.
  12. == PRQ = >No
  13.  
  14. 2. Under what jurisdiction(s) does your company operate?
  15.  == Hide.me == >We are a Company based in Malaysia with no legal obligation to store any user logs at all.
  16.  == ShadeYou VPN == >ShadeYou VPN company operates under the jurisdiction of the Netherlands.
  17. == AzireVPN == >We operate under Swedish law.
  18. == Cryptostorm == >We’re a decentralized project, with intentional separation of loosely-integrated project components. Much of our financial processing runs through a payments-focused sibling entity based on First-Nations sovereign territory geographically located within the province of Québec, itself loosely encased within the federal confines of the country of Canada. We own no intellectual property, patents, trademarks, or other such things that would require a corporate entity in which ownership could be enforced by the implied threat of State-backed violence; all our code is published and licensed opensource. We’ve concurrency in financial operations and make use of parallel payment processes under distinct organisational control in two other jurisdicational locations: France and Iceland. Thus, we can walk away from 2 of the 3 simultaneously with no impact to ongoing financial operations for the network.
  19. == VPN Baron == >We’re under Romanian jurisdiction, inside of the European Union. EU takes privacy issues more seriously than the US, as many already know.
  20. == NordVPN == >NordVPN is based out of Panama.
  21. == TorrentPrivacy == >Our company is under Seychelles jurisdiction.
  22. == Mullvad == Swedish.
  23. == PRQ = >Swedish
  24.  
  25. 3. What tools are used to monitor and mitigate abuse of your service?
  26.  == Hide.me == >We believe that it is not our responsibility to monitor user activities, consequently, we don’t throttle or block any kind of traffic.
  27.  == ShadeYou VPN == >We absolutely do not monitor any traffic or user activity. Even if we receive a serious abuse notification we can’t start monitoring our users because it will violate the main mission of ShadeYou VPN.
  28. == AzireVPN == >Due to the nature of our service, we do not use any tools to monitor abuse of our services.
  29. == Cryptostorm == >Um, never happened. Not sure what “abuse” would actually involve, and as we don’t have “users” we’d not have any way to block someone’s network access in functional terms. Here’s our Terms of Service.
  30. == VPN Baron == >We’ve implemented strict firewall/traffics shaping rules or our Linux servers in order to avoid abuses. If any abuses go through, we just add a new rule that deals with the new issue. This security does not affect the regular VPN usage in any bad way.
  31. == NordVPN == >No tools are used to monitor our customers in any case. We are only able to see the servers’ load, which helps us optimize our service and provide the best possible Internet speed to our users.
  32. == TorrentPrivacy == >We do not monitor any user’s traffic or activity for any reason.
  33. == Mullvad == >We don’t monitor our users. In the rare cases of such egregious network abuse that we can’t help but notice (such as DoS attacks) we stop it using basic network tools.
  34. *Very veauge == PRQ = >Our own.
  35.  
  36. 4. Do you use any external email providers (e.g. Google Apps) or support tools ( e.g Live support, Zendesk) that hold information provided by users?
  37.  == Hide.me == >Yes we use Zendesk and LivechatInc in which we do not store any customer data that could be mapped to our customer database. Furthermore this information cannot be linked to your VPN usage and online activities.
  38.  == ShadeYou VPN == >Yes, we are using Google Apps as our email service provider. But we do not send or request any private or personal information via mail. Also the option of Live Support is available and works based on SiteHeart service where personal information isn’t required.
  39. == AzireVPN == >We use our own self-hosted ticket system and mail servers.
  40. == Cryptostorm == >This is an excellent question, and the answer is no. All such correspondence is self-hosted (with the obvious exception of bitmessage-based communications, of course).
  41. == VPN Baron == >Our VPN network is separated from the administrative part. As any service that deals with customers, we use emailing software that uses our local server (not a 3rd party server). The information that can be provided by/to users has no incriminating value, being mostly standard OpenVPN troubleshooting, install help and various enquires.
  42. == NordVPN == >We use the third-party live support tool, but it is not linked to the customers’ accounts.
  43. == TorrentPrivacy == >We use third-party solutions for user communications and emailing. Both are running on our servers.
  44. == Mullvad == >We do use external providers and encourage people sending us email to use PGP encryption, which is the only effective way to keep email somewhat private. The decrypted content is only available to us.
  45. == PRQ = >No
  46.  
  47. 5. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?
  48.  == Hide.me == >Since we don’t store any logs and/or host copyright infringing material on our services, we’ll reply to these notices accordingly.
  49.  == ShadeYou VPN == >The abuse team of ShadeYou VPN answers as follows: a) we do not store any illegal content on our servers; b) all of our users agrees with our privacy policy while registering, so we warned that illegal actions are prohibited and at this time we are not responsible. c) we have no any personal data of our users or any logs of their activities that can be shared with third-parties because we simple do not store it.
  50. == AzireVPN == >We politely tell all DMCA/EUCD requesters that due to the nature of the service, we do not have any possibility to track the content.== Cryptostorm == >
  51. == Cryptostorm == >Our choice is to reply to any such messages that are not obviously generated by automated (and quite likely illegal) spambots. In our replies, we ask for sufficient forensic data to ascertain whether the allegation has enough merit to warrant any further consideration. We have yet to receive such forensic data in response to such queries, despite many hundreds of such replies over the years. Silence speaks loudly.
  52. == VPN Baron == >None of our users have ever been issued a DMCA notice, being unable to detect which user has caused it due to our no traffic logging policy. On our end, if the issue is persistent and our server provider insists that we deal with it, we wipe that particular server and replace it with a new one from a different provider. Rinse and repeat.
  53. == NordVPN == >When we receive any type of legal notices, we cannot do anything more than to ignore them, simply because they have no legal bearing to us. Since we are based in Panama, all legal notices have to be dealt with according to Panamanian laws first. Luckily they are very friendly to Internet users.
  54. == TorrentPrivacy == >We have small amount of abuses. Usually we receive them through email and all of them are bot generated. As we don’t keep any content we just answer that we don’t have anything or ignore them.
  55. == Mullvad == >There is no such Swedish law that is applicable to us.
  56. == PRQ = >We do not care about DMCA.
  57.  
  58. 6. What steps are taken when a valid court order requires your company to identify an active user of your service? Has this ever happened?
  59.  == Hide.me == >Although it has never happened,in such a scenario we won’t be able to entertain the court orders because our infrastructure is built in a way that it does not store any logs and there is no way we could link any particular cyber activities to any particular user. In case we are forced to do so, we would prefer to close down rather than putting our users at stake who have put their trust in us.
  60.  == ShadeYou VPN == >Sharing any personal data of our users is absolutely impossible since we do not store it and do not keep any logs. Yes such kind of situation has happened but there is not even one existing case when we have shared any information about our users with any 3rd parties.
  61. == AzireVPN == >We inform the other party that we are unable to hand out any information since we do not keep any logs or monitor the traffic.
  62. == Cryptostorm == >See above.
  63. == VPN Baron == >This didn’t happen so far. Court orders usually imply something serious and we’re requested by law to assist. We don’t have much to offer. We can answer if a particular email address \ name (could not be a real name, we don’t check) has an active account on our administrative part.
  64. == NordVPN == >If we receive a valid court order, firstly it would have to comply with the laws of Panama. In that case, the court settlement should happen in Panama first, however were this to happen, we would not be able to provide any information because we keep exactly nothing about our users.
  65. == TorrentPrivacy == >It has never happened for 8 years. We will ignore any requests from all jurisdiction except Seychelles. We have no information regarding our customers’ IP addresses and activity on the Internet.
  66. == Mullvad == >We get requests from governments from time to time. They never get any information about our users. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.
  67. == PRQ = >We only require a working e-mail address to be a customer, no other information is kept.
  68.  
  69. 7. Does your company have a warrant canary or a similar solution to alert customers to gag orders?
  70.  == Hide.me == >Since we are not operating under US law, in Malaysia there is no such thing as the Patriot Act. So far we haven’t been served with a court order or any governmental request and if it was the case we would be transparent with our customers that might have been affected by such court order.
  71.  == ShadeYou VPN == >Warrant canaries are new to us. We have not used one before since we are sure that all our users are safe. But we can start using it as an additional option to make our users sure that they are totally secure while using our service.
  72. == AzireVPN == >No
  73. == Cryptostorm == >We have been involved in the technical and theoretical work of developing the concept and implementation of warrant canaries since prior to their currently-seen popularity as a marketing tool. Indeed, we coined the term “privacy seppuku” itself, which is a closely related subject. Unfortunately, many implementations of “warrant canaries” we see recently are terribly flawed both in conceptual foundation and in real-world application. This topic is perhaps a bit long for an interview reply, but we can say that doing a flawed warrant canary is worse than doing nothing at all, as it provides mere “security theatre” and encourages false confidence.
  74. == VPN Baron == >We do not. As we haven’t received any warrants or court orders there was no need. However, we’ll certainly do our best to protect our users.
  75. == NordVPN == >We do not have a warrant canary or any other alert system, because as it was mentioned above, we operate under the laws of Panama and we guarantee that any information about our customers will not be distributed to any third party.
  76. == TorrentPrivacy == >No, we don’t bother our users.
  77. == Mullvad == >Under current Swedish law there is no way for them to force us to secretly act against our users so a warrant canary would serve no purpose. Also, we would not continue to operate under such conditions anyway.
  78. == PRQ = >No.
  79.  
  80. 8. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?
  81.  == Hide.me == >There is no effective way of blocking file-sharing traffic without monitoring our customers which is against our principles and would even be illegal. Usually we only recommend our customers to avoid the US & UK locations for filesharing but it is on a self-regulatory basis since these countries have strong anti-copyright laws in place.
  82.  == ShadeYou VPN == >BitTorrent and any other file-sharing traffic is allowed on all our servers. There’s only one exception, and that’s for users who use a trial version.
  83. == AzireVPN == > All traffic is allowed.
  84. == Cryptostorm == >Yes.
  85. == VPN Baron == >Yes. All P2P traffic is allowed.
  86. *MOST of our servers == NordVPN == >We do not restrict any BitTorrent or other file-sharing applications on most of our servers.
  87. == TorrentPrivacy == >Yes we support all kind of traffic on all servers.
  88. == Mullvad == >Yes.
  89. *Can't find ToS of their website == PRQ = >As long as the usage doesn’t violate the ToS, we do not care.
  90.  
  91. 9. Which payment systems do you use and how are these linked to individual user accounts?
  92.  == Hide.me == >We support over 200+ international payment methods, including Bitcoin, Paypal, Credit Cards, Bank transfer and UKash. All payments are handled by external payment providers and are linked to a temporary payment ID. This temporary payment ID can not be connected to the users VPN account/activity. After the payment is completed, the temporary payment ID will be permanently removed from the database.
  93.  == ShadeYou VPN == >ShadeYou VPN uses payment systems including PayPal, Perfect Money, Webmoney, Qiwi, Yandex Money, Easy Pay, Ligpay, UnionPay, AliPay, MINT, CashU, Ukash also accept payments via Visa, Master Card, Maestro and Discover. Ofcourse Bitcoin is available.
  94. == AzireVPN == > We support PayPal, Bitcoin (BitPay) and Credit Cards (Stripe).
  95. == Cryptostorm == >We don’t have purchasing/financial information connected in any way to real-life identity of our network members; our token-based authentication system removes this systemic connection, and thus obviates any temptation to “squeeze” us for private data about network membership. We quite simply know nothing about anyone using our network… save for the fact that they have a non-expired (SHA512 version of) token when they connect.
  96. == VPN Baron == >We use Bitcoins, PayPal and Credit Cards (processed by PayPal). Again, the administrative part is very separated from our VPN service. With each paid invoice the administrative part updates the subscription’s expiration date on the VPN service. We recommend using Bitcoins for the most anonymity a payment method could offer. Bitcoin payments cannot be traced to a particular individual.
  97. == NordVPN == >We accept payments via Bitcoin, Credit Card, PayPal, Banklink, Webmoney (Paysera). Bitcoin is the best payment option to maintain your anonymity as it has only the paid amount linked to the client. Users who purchase services via PayPal are linked with the usual information the seller can see about the buyer.
  98. == TorrentPrivacy == >We are using PayPal but payment as a fact proves nothing. Also we are going to expand our payment types for the crypto currencies in the nearest future.
  99. == Mullvad == >Bitcoin (we were the first service to accept it), cash (in the mail), bank transfers, and PayPal / credit cards. Payments are tied to accounts but accounts are just random numbers with no personal information attached that users can create at will. With the anonymous payments possible with cash and Bitcoin it can be anonymous all the way.
  100. == PRQ = >None of the payment methods are linked to a user.
  101.  
  102. 10. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?
  103.  == Hide.me == >Our users’ privacy is of utmost concern to us. Our windows client has the features such as kill switch, Auto Connect, Auto Reconnect etc which makes sure that the user is always encrypted and anonymous. Even though if one of our customer decides not to use the client, in our community there is a big variety of tutorials to help our customers to protect themselves against any sort of leaks.
  104. After all, modern VPN protocols that we all support – like IKEv2, OpenVPN and SSTP, are considered secure even after the NSA leaks. We follow cryptographic standards and configured our VPN servers accordingly in order to support a secure key exchange with 4096-bit keys and a strong symmetric encryption (AES-256) for the data transfer.
  105.  == ShadeYou VPN == >We strongly recommend to use OpenVPN since it is the most safe and uses the strongest encryption (TLS Protocol with 1024-bit key length and AES-256-CBC crypto-algorithm). We do not support “Kill switch” at the moment but we will propose alternative solution when our new DNS servers will be launched.
  106. == AzireVPN == >We recommend our users to use our OpenVPN servers with SHA512 auth, AES-256-CBC cipher and tls-auth for maximum security.
  107. == Cryptostorm == >We only support one cipher suite on-net, per reply above. Offering “musical chairs” style cipher suite roulette is bad opsec, bad cryptography, and bad administrative practice. There is no need to support deprecated, weak, or known-broken suites in these network security models; unlike browser-based https/tls, there are no legacy client-side software suites that must be supported. As such, any excuse for deploying weak cipher suites is untenable. Everyone on cryptostorm receives equal and full security attention. There are no “kill switch” tools available today that actually work. We have tested them, and until we have developed tools that pass intensive forensic scrutiny at the packetized/NIC level, we will not claim to have such. Several in-house projects are in the works, but none are ready yet for public testing. We take standard steps to encourage client-side computing environments to route DNS queries through our sessions when connected. However, we cannot control things such as router-based DNS queries, Teredo-based queries that slip out via IP6, or unscrupulous application-layer queries to DNS resolvers that, while sent in-tunnel, nevertheless may be using arbitrary resolver addressing. Once again, we’re working on tools to mitigate these risks, but no currently tools or frameworks are 100% effective in doing so. We are saddened to see others who claim they have such “magical” tools; getting a “pass” from a handful of “DNS leak” websites is not the same as protecting all DNS query traffic. Those who fail to understand that are in need of remedial work on network architecture. As we run our own mesh-based system of DNS resolvers, “deepDNS,” we have full and arbitrary control over all levels of DNS resolution presentation to third parties. Indeed, on-cstorm visitors to “DNS leak” websites see a message directly from cryptostorm, embedded in the results presented… this is the level of expertise we are employing as we work towards improved member security.
  108. == VPN Baron == >OpenVPN protocol offers by default excellent security on any type of encryption, and after a certain point, adding more encryption has diminishing returns while making a huge impact on user’s internet speed. It makes little difference if a package is cracked in 10,000 years or 20,000 years. We currently use by default BF-CBC 128 bit key, TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA. In the future update, we’re allowing users to select their preferred type of encryption. We regularly check for DNS leaks. If the VPN connection drops, all traffic will be halted.
  109. == NordVPN == >We have high anonymity solutions which we would like to recommend to everyone seeking real privacy. One of them is Double VPN. The traffic is routed through at least two hoops before it reaches the Internet. The connection is encrypted within two layers of cipher AES-256-CBC encryption. Another security solution – Tor over VPN. Firstly, the traffic is encrypted within NordVPN layer and later sent to the Tor network and exits to the Internet through one of the Tor exit relays. Both of these security solutions give a great encryption and anonymity combination. The benefit of using these solutions is that the chances of being tracked are eliminated. In addition, you are able to access .onion websites when connected to Tor over VPN. Furthermore, our regular servers have a strong encryption which is 2048bit SSL for OpenVPN protocol, AES-256bit for L2TP. In addition to that, we have advanced security solutions, such as the “kill switch” and DNS leak protection which provide the maximum possible security level for our customers.
  110. == TorrentPrivacy == >We are recommending to use the most simple and secure way — OpenVPN with AES-256 encryption. To protect the torrent downloads we suggest to create a proxy SSH tunnel for your torrent client. In this case you are encrypting only your P2P connection when your browser or Skype uses your default connection. When using standard VPN in case of disconnection your data flows unencrypted. Implementing our SSH tunnel will save from such leaking cause traffic will be stopped.
  111. == Mullvad == >OpenVPN (using the Mullvad client program). Regarding crypto, ideally we would recommend Ed25519 for certificates, Curve25519 for key exchange (ECDHE), and ChaCha20-Poly1305 for data streams but that suite isn’t supported by OpenVPN. We therefore recommend and by default use RSA-2048, D-H (DHE) and AES-256-CBC-SHA. We have a “kill switch,” DNS leak protection and IPv6 leak protection (and IPv6 tunnelling).
  112. == PRQ = >OpenVPN, customers have to monitor their service/usage.
  113.  
  114. 11. Do you use your own DNS servers? (if not, which servers do you use?)
  115.  == Hide.me == >We do not operate own DNS servers since all outgoing connections are already encrypted and free DNS servers like OpenDNS or Google Public DNS are not censored in any way, so we can ensure that our customers are still anonymous using these services and enjoy a censorship free browsing. Operating own DNS servers would put our infrastructure at risk since an attack could affect all our customers that are currently connected to our VPN servers.
  116.  == ShadeYou VPN == >At the moment we use Public DNS 8.8.8.8 and 8.8.4.4 and currently we are working hard on implementing our own DNS servers with a secured channel.
  117. == AzireVPN == >Yes, we have our own DNS servers for both client recursor as well as authoritive NS for our domains.
  118. == Cryptostorm == >We have constructed a mesh-topology system of redundant, self-administered secure DNS resolvers which has been collected under the label of deepDNS. Rather than simply forwarding DNS resolution queries on to other outside layers for reply, deepDNS is a fully in-house mechanism that keeps all query data (and metadata) within cryptostorm exclusively.
  119. == VPN Baron == >We’re using Google DNS. It’s fast, secure and google does a great job keeping it safe against any type of attacks. There is a huge list of Security Benefits on their page that might be of interest to anyone who’d like to find out more.
  120. == NordVPN == >NordVPN has its own DNS servers, also our customers can use any DNS server they like.
  121. == TorrentPrivacy == >Yes. We are using our own DNS servers.
  122. == Mullvad == >Yes, we use our own DNS servers.
  123. == PRQ = >Yes.
  124.  
  125. 12. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Where are your servers located?
  126.  == Hide.me == >We operate 27 server locations in 19 different countries. However we do not own physical hardware, there is an intrusion detection and other various security measures in place to ensure the integrity and security of all our single servers. Furthermore we choose all third party hosting providers very carefully, so we can assure that there are certain security standards in place (ISO 27001) and no authorized person could access our servers. Among our reputable partners are Leaseweb, NFOrce, Equinix and Softlayer.
  127.  == ShadeYou VPN == >All our servers are collocated around the world in DC’s of different leading hosting companies. Our VPN network covers: USA, United Kingdom, Sweden, Ukraine, Netherlands, Russia, Spain, Hong Kong, Germany, France and Canada. Romania will be added soon.
  128. == AzireVPN == >Yes, we own all our hardware and have physical control. Our servers are located in Stockholm Sweden.
  129. == Cryptostorm == >We deploy nodes in commodity datacentres that are themselves stripped of all customer data and thus disposable in the face of confirmed attacks on their kernel integrity. We have in the past “downed” such nodes based on alert from onboard systems and offsite, independently maintained kernel logs that confirmed a kernel-level violation was taking place. It is important to note that such “downing” does not explicitly require us to even have physical (or root) control of the machine in question: we push nameserver updates, via our HAF (Hostname Assignment Framework) out via redundant, parallel channels to all connected members and by doing so we can “offline” any node on the network within less than 10 minutes of initial commit.
  130. == VPN Baron == >We’re big fans of cloud servers. They can be created or destroyed in seconds. We feel that the ease of replacing a server is essential to any privacy service, adding an extra bump to anyone trying to track the activity of our users. Our servers located US and Europe and our main providers at this time are Digital Ocean and Vultr.
  131. == NordVPN == >Our servers are outsourced and hosted by a third parties. Currently our servers are in 26 countries: Australia, Austria, Brazil, Canada, Chile, France, Germany, Hong Kong, Iceland, Isle of Man, Israel, Italy, Liechtenstein, Lithuania, Netherlands, Panama, Poland, Romania, Russia, Singapore, South Africa, Spain, Sweden, Switzerland, United Kingdom and United States.
  132. == TorrentPrivacy == >We use third party datacenters for VPN and SSH data transmission in the USA, UK and Netherlands. The whole system is located on our own servers.
  133. == Mullvad == >We have a range of servers. From on one end servers lovingly assembled and configured by us with ambitious physical security in data centers owned and operated by people we trust personally and whose ideology we like. On the other end rented hardware in big data centers. Which to use depends on the threat model and performance requirements. Currently we have servers hosted by GleSYS Internet Services, 31173 Services and Leaseweb in Sweden, the Netherlands, USA and Germany.
  134. == PRQ = >Everything is inhouse in Sweden.
  135.  
  136.  
  137. All prices in US Dollars
  138. == ShadeYou VPN == 25.99/Annually, monthly available
  139. == NordVPN == 48/Annually, monthly available
  140. == AzireVPN == 48.83/Annually, monthly available
  141. == Cryptostorm == 52/Annually, monthly available
  142. == TorrentPrivacy == 58/Annually, 6/Monthly11
  143. == Hide.me == 5.42/month 75gb data - 11.67/mo unlimited bandwith
  144. == Mullvad == "[5.43] extends the expiry time by 30 days, [10.85] extends the expiry time by 60 days, and so on."
  145. == VPN Baron == 75.96 a year billed as 6.33/Month for 12 months
  146. == PQR == 10mbs- 18.38/Month 30mbs- 29.46/Month
RAW Paste Data
Top