July 2013 Archives

New website online

Dear users,

we switched to our new website today. A few features that are noteworthy:

  • As part of the redesign we adapted the way guides are presented to the user. Its now easier to navigate through all of the installation steps that make up a guide.
  • Once you are logged in you will now have a proper dashboard. We hope that it makes it easier for you to navigate and find stuff that you are looking for.
  • Most of the time we spend to fix any issues you have is to get the right information. To improve this process we have added a help wizard which asks you to provide some basic information about your setup that will help us to respond faster and more qualified.
  • The payment interface was overhauled as well. You can now select from more payment options and we offer more flexible time intervals (more payment options coming ... but no CC payments).

In case you dislike something or want us to know what you think, please use the feedback form when you log out.

The IPredator team

Dear reader,

so we came across a data leak when using OpenVZ. The OpenVZ guys were nice enough to send us a few answers via Twitter. While OpenVZ is a cool project it seems that there is no sensitivity for the issue presented in our short article and requires a longer reply than what Twitter has to offer in terms of character space. Here we go (the replies are loosely grouped together):

OpenVZ vzstats is described in great details, and vzctl introducing vzstats deb clearly refers to it. We are not sneaking in.
OpenVZ Unlike deb, rpm install is not supposed to be interactive, there is no single such package in fedora/rhel/suse.
OpenVZ mkdir /etc/vz && touch /etc/vz/vzstats-disable before installing/updating openvz stats are never sent, not even once.

So automatic installation that sends sensitive information at least once is not sneaking in something as long as you mention it in the package description that every admin will read? You say that the majority of users will notice this and fix the issue to prevent their system sending internal information insecurely over the Internet?

OpenVZ It is written in shell so anyone can easily see what is going on -- we were waiting for details analysis like yours.
OpenVZ If you want any changes in vzstats -- file bugs to bugzilla, preferably with patches ;)
OpenVZ Nice idea of doing https and/or gpg -- will work on that

When we send you a patch for HTTPS or GPG this will magically fix your infrastructure too? Having HTTPS support is not a nice idea its the bare minimum of security that should be implemented. Your statistics host is still only reachable via HTTP and not HTTPS in the USA. You did not disable the service (just shut down the httpd), implemented a fix, rolled out the fix and enabled the safer version. There is a difference between a bug and a design flaw (see below).

OpenVZ And we need some sort of id to update (rather than add) existing info in db.
OpenVZ We don't use lspci output -- the idea was to get a sense of what drivers do openvz users need but was not implemented

Well some reference is of course needed ... if the server admin is willing to participate! As for the lspci nice that you do not use it. What about the collection of top CPU processes that was added in the last version?

OpenVZ We can't opt-in because there is no single interactive component in openvz, so no one will turn this on.

Please take a step back and look at the effects of your implementation. We just learned (or rather got official verification) that most (if not all) of our governments install taps on the Internet infrastructure because its as easy as sniffing an open WLAN. It does not bug you that systems operated by:

  • activists - nasty buggers that want to uphold the law,
  • companies - juicy target for industrial espionage or SIGINT,
  • government critical organizations - opposing political parties or unions come to mind,

are essentially telling our dear governments which 0day they need to spend in order to compromise a desired host? Your system certainly provides enough information to make it a lot easier.

We understand your desire to gather some data to help your project development, but please please please implement it in a way that is appropriate for 2013. Thank you!

The IPredator team

Update Visa vs. PaySon, SSL changes

Dear users,

a short update on the payment situation and SSL changes.

Payson and the evil twins

So Payson plays dead and does not return our inquiries. Thanks for violating your own ToS which states that information about policy changes will be announced 14 day prior to the change. Interestingly they claim that there was no change of policy. In that case it is just a bit strange that we received 2 mails on Friday the 28th informing us ... about a policy change. Thank you for not playing by your own rules.

As far as Visa and Mastercard are concerned they claim that they had nothing to do with it. So lots of fingers pointing but nobody is ready to admit anything. We received a handful of mails from other people that had been affected by a similar tactic. We had an alternative that was ready to go which informed us today that they got notice from Visa and Mastercard that we are on a "special" list for illegal activities. The management at that particular payment processor is a bit confused now because they also host other VPN services that obviously dont do illegal things. We will continue to investigate the issue and keep you in the loop. Fear not there are other options available, just takes a bit of time to put them into place.

SSL changes

We upgraded (most of) our websites to offer ECDHE ciphers as preferred choice (to take advantage of Perfect Forward Secrecy) and removed some cipher combinations that are not deemed suitable anymore. If you experience issues connecting please write us an email about it. The remaining services (eg. Jabber, TPB proxy) will be updated soon.

The IPredator team

Dear users,

we are sorry to inform you that PaySon is not able to process any credit cards anymore from you. They changed their policies after being bullied by Visa and Mastercard to exclude VPN services. We did not really receive a heads up to that change so you have to go for a wallet provider at the moment while we are looking into alternatives.

Alternatively you can pay using BitCoins or PaysafeCards for the time being. Right now we are trying to get a written statement about the whole issue in order to clear things up.

Stay tuned The IPredator team