====== 2016-02-29 - green light for mass-invigilation in poland (and how to deal with it) ====== around the christmas/new year's eve time 2015 was an interesting time for PL citizens. new regulations, that [[https://niebezpiecznik.pl/post/nowelizacja-ustawy-o-policji-i-kontrowersje-w-sprawie-wprowadzanych-zmian/|allow widespread invigilation]], have been accepted. it [[https://niebezpiecznik.pl/post/ustawa-inwigilacyjna-jak-sie-bronic-przed-podgladaniem-przez-policje-i-sluzby/|came live earlier this month]]. this is quite a problem for at least several reasons -- just to quote few interesting opinions here: * [[wp>Robert A. Heinlein]]: //Secrecy is the keystone to all tyranny. Not force, but secrecy and censorship. When any government or church for that matter, undertakes to say to its subjects, "This you may not read, this you must not know," the end result is tyranny and oppression, no matter how holy the motives. Mighty little force is needed to control a man who has been hoodwinked in this fashion; contrariwise, no amount of force can control a free man, whose mind is free. No, not the rack nor the atomic bomb, not anything. You can't conquer a free man; the most you can do is kill him.// * [[wp>Edward Snowden]]: //Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.// * [[wp>Vladimir Lenin]]: //Supervision is a base of trust.// (any1 else see the irony?) thus having said, i must admit i'm a bit shocked by how few ppl do really care about their privacy. "//i have nothing to hide//" is probably the most widespread argument. i usually reply with something like: "//so why do you have curtains in your windows?//" or "//i do not recall seeing you running naked on the streets -- are you ashamed of something?//". my observation is that in general tech ppl are more aware and do "fight back". ===== dealing with the problem ===== {{ :blog:2016:02:29:openvpn_logo.png|OpenVPN logo (https://upload.wikimedia.org/wikipedia/commons/8/88/Ovpntech_logo-s_REVISED.png)}} i'm using full-disk encryption for over a decade now. since sometime i'm also using [[wp>Signal (software)]] for texting (unfortunately not that many ppl i know use it as well). recently i've setup [[wp>VPN]] on my router, to access the internet. there is an [[https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAeQjuQPU4BVzbOigT0xebxTOw/htmlview?usp=sharing&sle=true|interesting comparison of VPN providers]] you can filter to find your best match. what is worth checking making sure of? * company is located **OUTSIDE** of [[wp>Five Eyes|fourteen eyes]] countries. otherwise the cure might be worse than the disease, as "14 eyes" have [[wp>Utah Data Center|much bigger budget for mass invigilation]] than [[wp>poland]]. * it should not log traffic. preferably nothing should be logged. * should accept p2p. there are certain occasions p2p can be the only source of information, that is not centrally-controlled, thus cannot be easily shut-down. * **4096 bit RSA** key. this unfortunately is not provided in the mentioned spreadsheet, so you must check it out on your own. there is an interesting [[https://www.reddit.com/r/linux/comments/43cvvz/someone_told_me_that_you_guys_might_be_interested/|discussion on VPNs]], where a reference is made to an article, pointing out that [[http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/|NSA can break 1024 bit RSA in a massive scale]]. ===== configuration ===== configuration of [[wp>OpenVPN]] is nowadays simple, since most providers offer ready-to-go configuration files. just download it, put in your user/pass, and you're good to go. this should be set on your router, so that all networked devices do use your VPN. having [[wp>OpenWRT]] or other linux distro, means this is a piece of cake -- just setup OpenVPN client on that device and you're done! there is however one more problem, that is not commonly mentioned, when talking about VPN. VPN does work over an actual network, that is by itself, fully operational as well. now if you **loose your VPN connectivity in a background** (say -- due to a malfunction of router) you're connection becomes wide open, and most likely you will not even notice it! it actually gets worse. if some1 wants to eavesdrop your traffic, and has an access to, say [[wp>ISP]]'s network, then she can block your VPN traffic, forcing its disconnection and kaboom! you're now being watched again! in order to prevent it from happening, your router must be configured, so that it does NOT allow any "open traffic" to happen directly. you can play around with blocking DNS' access, but it will not make a trick for connections to IPs that are already cached. what you should do instead, is to block ALL forwarded traffic, that is not directed to your VPN access node directly. for OpenWRT this means adding custom rules like these: iptables -A forwarding_rule -o your_wan_dev -d 1.1.1.1 -j ACCEPT # 1st VPN access node from a list iptables -A forwarding_rule -o your_wan_dev -d 1.1.1.2 -j ACCEPT # 2nd VPN access node from a list iptables -A forwarding_rule -o your_wan_dev -j REJECT # nothing else is allowed this way, if VPN goes down, internet traffic is blocked as well. if you are using multiple gateways, OpenVPN will automatically switch between them, if connection is lost. ===== technical downsides ===== aside from an obvious point, that VPN, even if cheap, it's still not free, there is more. using VPN means at least 2x longer [[wp>Round-trip delay time|RTT]] (one extra point along the way). in real live however usually 4-6x longer RTTs are to be assumed (4-5x is a good result you should aim for). assuming you have reasonable "raw" network connection, this won't be a practical problem even for gaming. the real challenge is encryption -- or the CPU power of your network access point. if you have over 8Mbps connection, pretty much none of the off-the-shelf home routers will deal with [[wp>OpenVPN]] using 4096 bit encryption, effectively limiting out bandwidth. there are many mini-ITX motherboards available, that have x86/amd64 CPUs on board, without any moving parts. this should do for encryption. putting such a mini-PC with two ethernet cards in a closet can be a nice way of dealing with CPU-power loss. while it is more expensive than even a very good router, as a free bonus it can serve as a high-speed [[wp>Network Attached Storage|NAS]] (cheap ones don't usually go beyond ~20MB/s and more expensive ones are usually just not worth it).