Weomeo

Cyberattacks don't magically happen; they involve a series of steps. And far from being helpless, defenders can disrupt the attack at any of those steps. This framing has led to something called the "cybersecurity kill chain": a way of thinking about cyber defense in terms of disrupting the attacker's process.

On a similar note, it's time to conceptualize the "information operations kill chain." Information attacks against democracies, whether they're attempts to polarize political processes or to increase mistrust in social institutions, also involve a series of steps. And enumerating those steps will clarify possibilities for defense.

I first heard of this concept from Anthony Soules, a former National Security Agency (NSA) employee who now leads cybersecurity strategy for Amgen. He used the steps from the 1980s Russian "Operation Infektion," designed to spread the rumor that the U.S. created the HIV virus as part of a weapons research program. A 2018 New York Times opinion video series on the operation described the Russian disinformation playbook in a series of seven "commandments," or steps. The information landscape has changed since 1980, and information operations have changed as well. I have updated, and added to, those steps to bring them into the present day:

• Step 1: Find the cracks in the fabric of society­ -- the social, demographic, economic and ethnic divisions.

• Step 2: Seed distortion by creating alternative narratives. In the 1980s, this was a single "big lie," but today it is more about many contradictory alternative truths­ -- a "firehose of falsehood" -- ­that distorts the political debate.

• Step 3: Wrap those narratives around kernels of truth. A core of fact helps the falsities spread.

• Step 4: (This step is new.) Build audiences, either by directly controlling a platform (like RT) or by cultivating relationships with people who will be receptive to those narratives.

• Step 5: Conceal your hand; make it seem as if the stories came from somewhere else.

• Step 6: Cultivate "useful idiots" who believe and amplify the narratives. Encourage them to take positions even more extreme than they would otherwise.

• Step 7: Deny involvement, even if the truth is obvious.

• Step 8: Play the long game. Strive for long-term impact over immediate impact.

These attacks have been so effective in part because, as victims, we weren't aware of how they worked. Identifying these steps makes it possible to conceptualize­ and develop­ countermeasures designed to disrupt information operations. The result is the information operations kill chain:

• Step 1: Find the cracks. There will always be open disagreements in a democratic society, but one defense is to shore up the institutions that make that society possible. Elsewhere I have written about the "common political knowledge" necessary for democracies to function. We need to strengthen that shared knowledge, thereby making it harder to exploit the inevitable cracks. We need to make it unacceptable­ -- or at least costly -- ­for domestic actors to use these same disinformation techniques in their own rhetoric and political maneuvering, and to highlight and encourage cooperation when politicians honestly work across party lines. We need to become reflexively suspicious of information that makes us angry at our fellow citizens. We cannot entirely fix the cracks, as they emerge from the diversity that makes democracies strong; but we can make them harder to exploit.

• Step 2: Seed distortion. We need to teach better digital literacy. This alone cannot solve the problem, as much sharing of fake news is about social signaling, and those who share it care more about how it demonstrates their core beliefs than whether or not it is true. Still, it is part of the solution.

• Step 3: Wrap the narratives around kernels of truth. Defenses involve exposing the untruths and distortions, but this is also complicated to put into practice. Psychologists have demonstrated that an inadvertent effect of debunking a piece of fake news is to amplify the message of that debunked story. Hence, it is essential to replace the fake news with accurate narratives that counter the propaganda. That kernel of truth is part of a larger true narrative. We need to ensure that the true narrative is legitimized and promoted.

• Step 4: Build audiences. This is where social media companies have made all the difference. By allowing groups of like-minded people to find and talk to each other, these companies have given propagandists the ability to find audiences who are receptive to their messages. Here, the defenses center around making disinformation efforts less effective. Social media companies need to detect and delete accounts belonging to propagandists and bots and groups run by those propagandists.

• Step 5: Conceal your hand. Here the answer is attribution, attribution, attribution. The quicker we can publicly attribute information operations, the more effectively we can defend against them. This will require efforts by both the social media platforms and the intelligence community, not just to detect information operations and expose them but also to be able to attribute attacks. Social media companies need to be more transparent about how their algorithms work and make source publications more obvious for online articles. Even small measures like the Honest Ads Act, requiring transparency in online political ads, will help. Where companies lack business incentives to do this, regulation will be the only answer.

• Step 6: Cultivate useful idiots. We can mitigate the influence of people who disseminate harmful information, even if they are unaware they are amplifying deliberate propaganda. This does not mean that the government needs to regulate speech; corporate platforms already employ a variety of systems to amplify and diminish particular speakers and messages. Additionally, the antidote to the ignorant people who repeat and amplify propaganda messages is other influencers who respond with the truth­ -- in the words of one report, we must "make the truth louder." Of course, there will always be true believers for whom no amount of fact-checking or counter speech will convince; this is not intended for them. Focus instead on persuading the persuadable.

• Step 7: Deny everything. When attack attribution relies on secret evidence, it is easy for the attacker to deny involvement. Public attribution of information attacks must be accompanied by convincing evidence. This will be difficult when attribution involves classified intelligence information, but there is no alternative. Trusting the government without evidence, as the NSA's Rob Joyce recommended in a 2016 talk, is not enough. Governments will have to disclose.

• Step 8: Play the long game. Counterattacks can disrupt the attacker's ability to maintain information operations, as U.S. Cyber Command did during the 2018 midterm elections. The NSA's new policy of "persistent engagement" (see the article by, and interview with, U.S. Cyber Command Commander's Gen. Paul Nakasone here) is a strategy to achieve this. Defenders can play the long game, too. We need to better encourage people to think for the long term: beyond the next election cycle or quarterly earnings report.

Permeating all of this is the importance of deterrence. Yes, we need to adjust our theories of deterrence to the realities of the information age and the democratization of attackers. If we can mitigate the effectiveness of information operations, if we can publicly attribute -- if we can respond either diplomatically or otherwise­ -- we can deter these attacks from nation-states. But Russian interference in the 2016 presidential election shows not just that such actions are possible but also that they're surprisingly inexpensive to run. As these tactics continue to be democratized, more people will attempt them. Deterring them will require a different theory.

None of these defensive actions is sufficient on its own. In this way, the information operations kill chain differs significantly from the more traditional cybersecurity kill chain. The latter defends against a series of steps taken sequentially by the attacker against a single target­ -- a network or an organization -- and disrupting any one of those steps disrupts the entire attack. The information operations kill chain is fuzzier. Steps overlap. They can be conducted out of order. It's a patchwork that can span multiple social media sites and news channels. It requires, as Henry Farrell and I have postulated, thinking of democracy itself as an information system. Disrupting an information operation will require more than disrupting one step at one time. The parallel isn't perfect, but it's a taxonomy by which to consider the range of possible defenses.

This information operations kill chain is a work in progress. If anyone has any other ideas for disrupting different steps of the information operations kill chain, please comment below. I will update this in a future essay.

This essay previously appeared on Lawfare.com.

* 本文作者：麦片与老干妈，本文属FreeBuf原创奖励计划，未经许可禁止转载

0×00前言

文章迟到了3个月，太忙自己又太懒对不住~~

上次文章主要描述了智能网联汽车，整体上可能遭受的攻击风险；同时对OBD设备的安全性进行了简单的分析，提供了一些外部攻击的思路。此文着重从BLE（低功耗蓝牙）方向对智能设备的安全进行分析。

0×01 BLE安全基础

先看看BLE的基础知识，以及BLE自身在安全方面的考虑。

BLE的基础知识，雪碧已经对其进行了详细的描述，我再啰+/嗦几句

【传送门】http://www.freebuf.com/news/88281.html

其实我们蓝牙协议主要分为传统蓝牙和低功耗蓝牙。

对 于传统蓝牙来讲，当提出主动连接的设备（搜索设备）和被连接的设备（被搜索设备）打算进行连接时，搜索设备会以极快的速度进行跳频，被搜索设备会以极低的速度跳频，这样两个设备一定会同时跳跃到同一频段（79个频段中的一个）。

随后，搜索设备和被搜设备进行连接，并会将连接信道按照跳频图（由发起连接的设备）进行有规律的变化。当中，发起连接的一方被称为Master，接受连接的一方称为Slave此外，在建立连接后，双方根据已建立逻辑、基于 BR/EDR controller的l2cap 可以沟通各自是否具备可以使用的Altemate的AMP Controllers，具备的话则会判定是否将传输的data，转移到这些Controllers（极大提供蓝牙传输效率）。

对于低功耗蓝牙来讲，同样存在两方，称为Adversting的一方，发 送adversting packets（广播包），接收的一方称为Scanner，当Scanner接受到 “connectable advertisingpacket” 回应 “connection request”  建立起点对点链接（Initiators），Initiators发起连接即为Master ，Scanner为Slave。频道的选择则是在有Master生成的Hopping Pattern决定。

了解了握手的过程，接下来简单看下协议结构

Physical Layer：

40个物理信道与RF特性的定义

Link Layer：

在这些Physical Channel上收发数据

解 决Physical Channel的共享：对时延不是很敏感的场景→在3个逻辑传输广播通道上进行传输；对时延较敏感的场景，37个Physical Channel中，选取一个，为这种场景里面的通信双方建立单独的通道（datachannel），这就是连接（connection）的过程，再结合跳频技术

因为是通过LinkLayer进行数据收发，过程中存在五种状态：Standby，Advertising，Scanning，Initiating，Connection

当建立连接后：Initiater方称作Mater，Advertiser方称作Slave

L2CAP Protocol

在 用户类XXX-U Logical Link的基础上，抽象出和具体技术无关的数据传输通道（包括单播和广播两类），L2CAP channel endpoints的概念（类似TCP/IP中的端口），为具体的应用程序（profile）提供独立的数据传输通道。在构建了点对点的逻辑通道，将这个 LogicalChannel换为L2CAP Channel，实现逻辑信道复用和长数据的分片传输

ATT（Attribute Protocol ）

是一套允许Client和Server（传感器节点）通过属性的形式共享信息的机制，由Attribute Type、Attribute Handle（唯一识别Attribute server上的所有Attribute）和Attribute Value组成。定义一些权限：访问有关的权限 ，加密有关的权限，认证有关的权限，授权有关的权限。

GAP（Generic Attribute Profile）

简单理解为，应用场景，功能，使用方式都被规定好的应用

定义GAP层的蓝牙设备角色，定义GAP层的、用于实现各种通信的操作模式（Operational Mode）和过程（Procedures），定义User Interface有关的蓝牙参数。

信道复用实现：

通信之前，先建立一个基于Logical Channel的虚拟通道，L2CAP会为这个通道分配一个编号（CID），数据发送时，将用户数据分割为一定长度的数据包（L2CAP PacketData Units，PDUs），加上一个包含特定“ID”的header后，通过逻辑链路发送出去。数据接收时，从逻辑链路接收数据，解析其中的“ID”，并以此判断需要将数据转发给哪个应用

关于安全的 SMP(SecurityManagerProtocol)

SMP即安全管理协议，为BLE设备提供建立加密连接需要的key（STK or LTK）

SMP 位于L2CAP 与 GAP之间 为消息传递进行了安全加密。将生成加密key的过程称为Pairing（配对），并详细定义了Pairing的概念、操作步骤、实现细节等。定义一个密码 工具箱（CryptographicToolbox），其中包含了配对、加密等过程中所需的各种加密算法。定义一个协议（SecurityManager Protocol，简称SMP），基于L2CAP连接，实现master和slave之间的配对、密码传输等操作。

BLE整体的配对->加密->传输的过程如下图

配对->权鉴->获取密钥->加密过程：

第一阶段：

Pairing Feature Exchange ：配对的发起者（Initiator，总是Master）和配对的回应者（Responder，总是Slave）可以交换足够的信息，以决定在阶段2使用哪种配对方法、哪种鉴权方式、等等

配对方法：LE legacy pairing 和 LE Secure Connections（新方法优先支持）

配对码：

1）用户在两个设备上输入相同的6个数字（要求两个设备都有数字输入的能力），接下来的配对过程会进行相应的校验；

2）一个设备（A）随机生成并显示6个数字（要求该设备有显示能力），用户记下这个数字，并在另一个设备（B）上输入。设备B在输入的同时，会通过SMP协议将输入的数字同步的传输给设备A，设备A会校验数字是否正确，以达到鉴权的目的

3）Numeric Comparison，两个设备自行协商生成6个数字，并显示出来（要求两个设备具有显示能力），用户比较后进行确认（一致，或者不一致，要求设备有简单的yes or no的确认能力）

4）Just Work，不需要用户参与，两个设备自行协商

5）不需要权鉴

权鉴方法：OOB（out of band）protocol额外信息交互；

权鉴原则：

1）如果双方都支持OOB鉴权，则选择该方式（优先级最高）。

2）否则，如果双方都支持MITM鉴权，则根据双方的IO Capabilities（并结合具体的配对方法），选择合适的鉴权方式

3）否则，使用Just work的方式（不再鉴权）

第二阶段：

LE legacy pairing配对：最终生成STK用户建立加密连接，建立加密连接后再自行生成LTKS,通过Transport Specific Key Distribution共享双方生成EDIV和Rand用于索引LTK

STK=SHA1（MRand+SRand+TK（可以为配对码或OOB）)

LE Secure Connections配对：直接生成LTK(利用了椭圆曲线加密算法（P-256 elliptic curve）)

隐私信息由以下几个部分组成：

Encryption Information (Long Term Key)
Master Identification (EDIV, Rand)
Identity Information (Identity Resolving Key)
Identity Address Information (AddrType, BD_ADDR)
Signing Information (Signature Key) 

0×02 BLE安全实战测试

1.LE legacy pairing

如图（XX手环二旧版）：

1）.master告知slave要求设置LTK IRK CSRK三类密钥，同时master支撑MITM（需要人参与的权鉴），OOB权鉴方式无额外数据,IO通过keyboard进行输入

*注

LTK:长期密钥

IRK:身份解析密钥   当私有地址周期性变化时可通过IRK并依据list对周期性变化的地址向MAC地址映射（BLE地址随机性）

CSRK：连接签名解析密钥  连接使用数据签名来保护连接（其提供了完整性和认证）

2）slave告知master自己支持 LTK和CSRK，不支持MITM（需要人参与的权鉴）和IRK，OOB权鉴方式无额外数据，IO无输入

3）所以权检的方式应该为JUSTWORK（不进行权鉴直接进行通信）后直接进行pairing confirm的value值的确认 

4）根据请求内容可知使用的配对方式是—LE legacy pairing（32位LTK=STK=S1(MRand，SRand)）

5） 传递 Encryption Information (LongTerm Key) ，Master Identification (EDIV, Rand) ，Identity Information (Identity Resolving Key) ，Identity Address Information (AddrType, BD_ADDR) ，Signing Information (Signature Key)  进行LTK的生成（128位）

**注：

master和slave都要生成各自的LTK/EDIV/Rand组合，并共享给对方。因为加密链路的发起者需要知道对方的LTK/EDIV/Rand组合，而Master或者Slave都有可能重新发起连接

为什么LE legacy pairing的LTK需要EDIV/Rand信息呢？因为LTK是各自生成的，不一样，因而需要一个索引去查找某一个LTK（LE Secure Connections，LTK是直接在配对是生成的，因而就不需要这两个东西）。

6）在此之后对数据进行了加密（因为数据已经加密，未获取到LTK（被STK加密）同时Wireshark无解密功能，故此处数据解密失败失败）

2.LE Secure Connections 权鉴、配对、加密的过程

如图（XX手环二新版）：

3.未进行配对加密过程

如图（XXOBD智存版）

整体建连到数据传输过程中未见LTK参与，未见数据加密

1）首次和OBD设备建即进入仪表盘，App向OBD请求诊断数据。图中：ATAUTORUN0

2）OBD发送App诊断结果可见

是不是很有趣呢，OBD诊断的命令和诊断结果都没有进行加密，一旦通过劫持的手段注入恶意的数据，就像前一篇片文章一样，CAN命令注入。

0×03 BLE安全另类测试

讲一个实际项目中的案例，根据对BLE整个的安全性分析过程，将安全测试的重点放在，蓝牙地址随机性，安全协商，SMP和CSRK（连接签名解析密钥）的正确使用以及LTK的使用几个方面

这个奇怪的东东，根据APP端发送的信号，调节震动频率以及震动的时长

这里仅看下传输的数据

在配对的过程中的协议，并未发现使用SMP，所以BLE模块和APP之间并不会进行安全的权鉴

同样，没有SMP就不会使用LE legacy pairing 和 LE Secure Connections 

在APP下发命令：

选择震动类型时使用时，handle使用的是4c,value值从0-7

增加震动等级，handle使用的是4e，value的值为02xx-10xx

例如，使用4级震动value为04xx

启动震动,handle使用的是4e,value值为xx01

停止震动时，handle使用的是4e,value值为xx00

所以~~~，根据规则 伪造数据，就可以远程恶意控制该硬件了

0X04 安全展望

随着IOT融入到我们的生活当中，智能设备的功能性和信息化循序增强，我们必须在危险真正到来之前未雨绸缪，给原本就脆弱的IOT增加安全的保证，不仅保证信息安全，更是保证生命安全。

* 本文作者：麦片与老干妈，本文属FreeBuf原创奖励计划，未经许可禁止转载

《金融时报》报道称，中国正在干扰外资企业使用的 VPN。VPN 通常是一种保护通信安全的工具，但在中国它经常被用于绕过审查。但近几个月，一些公司表示，它们很难使用定制的 VPN。同时，监管机构一直在推动跨国公司购买和使用经政府批准的 VPN。使用这类 VPN 每月可能要花费数万美元，还会使用户的通信暴露在审查人员的眼皮底下。威凯平和而德律师事务所驻北京合伙人 Lester Ross 称中国的意图是完全控制信息流。一家美国非营利机构和一家英国公司分别表示，他们的定制 VPN 已遭屏蔽，干扰了他们的运营能力。一家美国财富 500 强公司的一名员工表示，最近几个月，在北京的办公室越来越难以通过公司的 VPN 访问那些被屏蔽的网站。

Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.

Our industry is littered with examples. First: security warnings. Despite researchers' good intentions, these warnings just inure people to them. I've read dozens of studies about how to get people to pay attention to security warnings. We can tweak their wording, highlight them in red, and jiggle them on the screen, but nothing works because users know the warnings are invariably meaningless. They don't see "the certificate has expired; are you sure you want to go to this webpage?" They see, "I'm an annoying message preventing you from reading a webpage. Click here to get rid of me."

Next: passwords. It makes no sense to force users to generate passwords for websites they only log in to once or twice a year. Users realize this: they store those passwords in their browsers, or they never even bother trying to remember them, using the "I forgot my password" link as a way to bypass the system completely -- ­effectively falling back on the security of their e-mail account.

And finally: phishing links. Users are free to click around the Web until they encounter a link to a phishing website. Then everyone wants to know how to train the user not to click on suspicious links. But you can't train users not to click on links when you've spent the past two decades teaching them that links are there to be clicked.

We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

I've been saying this for years. Security usability guru (and one of the guest editors of this issue) M. Angela Sasse has been saying it even longer. People -- ­and developers -- ­are finally starting to listen. Many security updates happen automatically so users don't have to remember to manually update their systems. Opening a Word or Excel document inside Google Docs isolates it from the user's system so they don't have to worry about embedded malware. And programs can run in sandboxes that don't compromise the entire computer. We've come a long way, but we have a lot further to go.

"Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- ­not just those with "security awareness."

This essay previously appeared in the Sep/Oct issue of IEEE Security & Privacy.

《明镜》周刊根据Edward Snowden泄漏的NSA文件指出，美国在全球80多个地点设有特殊情报搜集部（Special Collection Service，SCS），专门监控所在地区政府部门的通讯，北京、上海、成都、香港、台北等亚洲城市榜上有名，美国在东亚两个盟友韩国与日本则不在名单之上。2010年8月13日NSA的一份演示文件包括了一张展示出当时SCS分布在全球各地所有监听站点的地图，其中74个为活跃站点，3个为休眠站点，14个为匿名遥控站点。19个位于亚洲的站点中包括北京、上海、成都、香港和台北。美国驻扎在这些地区的外交官的任务除了推动双边关系外，显然还担任着特殊使命。中国外交部发言人华春莹29日表示，中俄等国已向联合国提交了“信息安全国际行为准则”草案，并努力推动相关谈判。

No matter which country you live in there are always people in authority seeking to limit which websites you’re able to view.

Admittedly some sites are quite rightly deemed repulsive to society in general and 99% of the public have few problems with them being hidden away. However, the blocking of ‘normal’ sites is much more controversial.

China is infamous for its Great Firewall and its censorship of anything it pleases from Twitter to YouTube. Iran also has concerns that its citizens’ minds will be influenced by Western thinking via the web. Overall, oppressive regimes tend to see some websites as having a destabilizing effect, so they censor them to maintain control.

In recent times the notion of website blocking has become fashionable in the West too, mainly because certain domains are viewed as offensive to the music and movie industries. The Pirate Bay is blocked in many countries and just this week the UK added another three sites to its ISPs’ filters – KAT.PH, H33T and Fenopy.

But, as mentioned countless times in the past, these filters represent mere temporary roadblocks for the determined and today we bring news of an exciting project that allows almost anyone to access any site they like in seconds. Best of all, it takes just a few minutes to setup and it’s completely free.

The Graduate School of University of Tsukuba, Japan, has just launched the VPN Gate Academic Experiment Project with the aim “to expand the knowledge of Global Distributed Public VPN Relay Servers.” We’re very happy to help them with that today.

How it works

Volunteers have given the University access to dozens of VPN servers located all over the world which people can access from pretty much any device running Windows, Linux, iOS, Android and more. No sign up or user registration is needed. Once connected the user’s IP address is hidden and switched for one issued by the VPN of their choice selected from dozens around the world.

Protocols and the SSL-VPN client

Several protocols are accepted, such as L2TP/IPsec, SSTP and the popular OpenVPN, but things get really streamlined for those who select the SSL-VPN option. This requires the easy installation of the Windows freeware client SoftEther VPN but it’s straightforward and only takes a couple of minutes.

The beauty of running the client (which is also developed by the University and will soon go open source) soon becomes apparent. Not only does SoftEther offer SSL-VPN tunneling via HTTPS to pass more easily through NATs and firewalls, it has another trick up its sleeve.

The client comes with a nifty pre-configured plugin which displays a list of all the available VPN servers offered by VPN Gate (see below). This enables the user to activate, disconnect, or switch between VPNs with just a click. This means that there is no need to set up each VPN connection manually in an operating system, although that can be done if the user prefers.

Unblock any site in an instant

Want to unblock The Pirate Bay, KAT.PH or H33T in the UK? Easy, just select any server that isn’t in the UK and preferably outside Europe. Want to access YouTube in China? Simple, just access any non-domestic VPN server. US citizen who needs to use Hulu overseas? Fine, just pick a United States server. UK citzen who needs to access the BBC iPlayer abroad? A UK server will provide the solution.

Once a server is selected and connected to the client, simply use your regular browser and other Internet applications as usual and traffic will be diverted through the VPN.

Tests

TorrentFreak carried out some basic tests yesterday and got some decent results. We successfully unblocked all of the blocked torrent sites in the UK, accessed Hulu from outside the US, and watched the BBC iPlayer and TVCatchup services from outside the UK.

Also, since the people at VPN Gate apparently have no problem with people using the service for video transfers (they mention YouTube specifically), we conducted some limited BitTorrent runs on half a dozen servers around the world. In each case we connected to a VPN server via the SoftEther Client and carried out tests with a service such as TorrentIP to ensure that our IP address when using BitTorrent had actually been changed. All but one of our tested servers worked fine while another appeared to block torrents.

Performance, logging and offering your computer as a server

As might be expected, performance changed from server to server but in each case browsing and transfer speeds were more than acceptable for a free service. Each server shows its available bandwidth so picking one with more tends to yield better results. That said, we tried a couple of slower ones and they performed just fine too.

While VPN Gate offers anonymity to a point, they do keep connection logs for around three months. In common with most other VPN services they do not monitor your activities but will comply when ordered to do so by the local courts, in this case those in Japan. However, each VPN server has its own logging policy and many appear to delete logs after a couple of weeks, if they keep them at all.

To give an outline of how the logging might affect users in real-life situations, we can look at a few scenarios.

If a US citizen carried out file-sharing on a US VPN server, he might be logged by those carrying out six strikes in the US. However, if that same user selected a server overseas, he would not be monitored by six strikes. Equally, an Iranian or Chinese citizen looking to carry out activities frowned upon by his or her government would be advised to use servers located outside their respective countries.

Finally, please use the services responsibly – respect the volunteers offering their services and consider becoming one yourself. If you have a Windows computer and can offer your bandwidth, click here for more information.

Source: Free Access To Dozens of Anonymous VPNs Via New University Project