End of the Freebies: I Also Know What You Download (Part 2)
UPDATE : post updated 11 May 2017.
About a month ago I wrote a post about one bad service that tracks downloaded torrents. There was a reason to write a small sequel.
NOTE: further a little water, and about the barges y , and about the canal, so that you can go directly to the section "Turn to the point."
')
Despite the fact that many people wrote that according to their ip-addresses the statistics are “left”, everything was very correct for me. It is unpleasant when such statistics are collected on you. Therefore, the question of the need for a gradual climb on the VPN for me was obvious, it only remained to decide on which one.
In this way, an interesting continuation on the topic arose.
DISCLAIMER: I, of course, do not shake any films, and in general I invented everything.
First, small lyrical digressions.
It is worth noting that the inclusion of encryption in the torrent client does not help against snooping.
(UPDATE: in fact, disabling DHT in a torrent client actually helps against such surveillance)
If you don’t get involved in the absolutely brutal I2P options, then in fact we have two options: use the VPN service and rent a car in the cloud and download through it (not the essence of it or raise the VPN server there). Recently, I caught the eye of a good article Your VPN-server: pros, cons and instructions (user samat ). There is a list of projects, scripts, with which you can from scratch to raise the VPN-server. It is so simple (actually launching one command) that you can even write about it here, and not on Habré. But in any case, the continuation of the logical write in the same place where the beginning.
Having tried one VPN service, the link to which I gave last time (for the promo), I was not thrilled. Brakes. Servers are common and are very overloaded. And torrents generally do not support all. Yes, there are VPN services that provide dedicated servers. But the price tag is much higher there. Obviously, it should be more expensive than raising the server itself. Therefore, I decided to deploy my server. Fortunately, this has become trivial with such scripts. I once did it manually with OpenVPN in AWS, but that was a long time ago, on Windows, and on Free Tier (not an option due to traffic restrictions).
The question of choosing between the VPN service and our own VPN server will be left at another time.
But first you had to choose a hosting. The same article mentioned the Scaleway service for $ 3 per month. Just buying the price, I started with it. This is not an advertisement, I have nothing with it. Let me remind the search engine cheap VPS - lowendstock.com.
For these 3 $ we have 2 x86 kernels, 2GB, 50GB and unlimited traffic. It looks like a fairy tale. The truth is that right at the time of writing the post, these machines were temporarily unavailable: "VC1S servers are temporary out of stock".
I did not try all three scripts, I took hwdsl2 / setup-ipsec-vpn (uses Libreswan / xl2tpd for IPsec / L2TP, Cisco IPsec VPN, IKEv2). Works like a magic.
After 2 minutes, you have your own VPN server, to which you can connect using the built-in Windows tools (as well as all other operating systems), you don’t need any OpenVPN. Those who need OpenVPN can recommend another script - https://github.com/Nyr/openvpn-install (similarly, one command and several interactive questions). The choice between OpenVPN and IPsec and IKEv2 is a separate big topic.
Of the main differences, it is worth noting that IPsec / IKEv2 only work through two UDP ports 500 and 4500, whereas OpenVPN on any port, you can choose UDP or TCP and the fact that IPsec / IKEv2 clients are built into most OSs. A good post on the topic - VPN everywhere and everywhere: IPsec without L2TP with strongSwan (but there is about strongSwan, not Libreswan, but still interesting).
Important: the hwdsl2 / setup-ipsec-vpn script (ie, Libreswan) does not work with OpenVZ, only KVM / Xen (other implementations may work) - this is important when choosing a VPS!
If you use the Scaleway + hwdsl2 / setup-ipsec-vpn bundle, then you should keep in mind that the Linux kernel, which will be the default on the machine (it’s their own, modified) is not compatible with IPSec. It must be changed. Fortunately, this can be done directly in the Web interface (you should choose 4.8 instead of 4.4):
Then I remembered that I actually have an Azure MSDN subscription and what will I spend $ 3 for when it is free.
Repeated procedure in Azure. At that moment, by the way, I understood why nobody uses Azur for virtual machines. Well, you just need to compare the usability of creating virtual machines on Azure and other services. Example: I filled in the machine template in Azure, immediately set up the firewall rules — for Libreswan / IPSec, you need to open two ports 500 and 4500. Azure requires you to enter the priority of the rule, I entered 100 for both of them. Everything is preserved. Launched deployment. He fell. Why? And because it is impossible for the rules to set the same priority. No words. Ok, I want to fix and restart. But that master is no longer there. Now you need to go into the json-template and edit there. In general, you can use it only for free, or on the need.
But I digress. In general, earned a VPN server on Azure. I am pleased, now I have two VPNs: one in Amsterdam, the other in Dublin. Cool. But not really. Ping for Scaleway-Amsterdam-based - 50ms, ping for Azure-Dublin-based - 60ms. Sadness
Question to connoisseurs: 50-60 ms - is this normal for an IPSec VPN server in Europe?
For comparison on OpenVPN to the same machine in Azure (Dublin) ping 68ms.
In fact, it was all a long-running entry.
Checked how to download torrents via VPN in Azure - 7 Mb / s. Well, great.
DISCLAIMER: I certainly didn’t download the movie, I tried it cleanly, I didn’t download it and I deleted it. Well, you understand.
A day later, a letter comes from the Microsoft Azure Safeguards Team that I violated the Digital Millennium Copyright Act , because My server (its address) received a complaint from the Paramount agent.
Letter to read:
In the attachment itself is a complaint. Complaining agent Paramount Pictures.
Those. Someone Adrian from the IP-Echelon office, an agent of Paramount Pictures from Hollywood, Los Angeles USA, sent a message to someone saying that from the specified IP address owned by Azure, someone distributed files with video content exclusively owned by Paramount.
Conclusions, as they say, do it yourself (see UPDATE 3).
In the comments, I suggest sharing my experience. Has anyone encountered similar services on other services?
Yes, Microsoft, an American company that will comply with American laws (DMCA), even if the server is located in Europe. But in Europe there are similar laws. Those. The choice of hosting was initially wrong. But the point of the article is to attract attention when choosing a VPN not only to technical aspects, but legislative ones.
As already noted last time, the mere fact of turning on a VPN on a machine does not guarantee privacy. There are a lot of messages when people downloaded torrents from a VPN and received voices from an ISP (not in the Russian Federation, we still don’t have one), for example: one , two .
Here is an interesting list of VPN providers "which Take Your Anonymity Seriously":
https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/ . But we must remember that it is impossible to verify “we do not log anything”. Here is an interesting post on the topic - Don't use VPN services .
The following offer from Jeditobe user:
The conclusions can be made the following (besides the fact that "only morons download torrents via Azure"):
Thanks to the user Vilgelm , who mentioned Plex - plex.tv , in connection with the seedbox. This is a very cool media server. There is under all platforms. If you have a NAS, then generally mast. I have a QNAP NAS and, in comparison with their native Video Station, this is heaven and earth. Accordingly, if we have a VPS in the cloud, then we put a Plex on it and watch movies from it through a convenient shell or mobile application (for viewing from mobile applications, they really want $ 5 per activation, but it works fine through the browser).
Since I myself was not aware, then I will allow myself to recommend to everyone who have not heard of the Plex, to look at it.
About a month ago I wrote a post about one bad service that tracks downloaded torrents. There was a reason to write a small sequel.
NOTE: further a little water, and about the barges y , and about the canal, so that you can go directly to the section "Turn to the point."
')
Despite the fact that many people wrote that according to their ip-addresses the statistics are “left”, everything was very correct for me. It is unpleasant when such statistics are collected on you. Therefore, the question of the need for a gradual climb on the VPN for me was obvious, it only remained to decide on which one.
In this way, an interesting continuation on the topic arose.
DISCLAIMER: I, of course, do not shake any films, and in general I invented everything.
First, small lyrical digressions.
It is worth noting that the inclusion of encryption in the torrent client does not help against snooping.
(UPDATE: in fact, disabling DHT in a torrent client actually helps against such surveillance)
If you don’t get involved in the absolutely brutal I2P options, then in fact we have two options: use the VPN service and rent a car in the cloud and download through it (not the essence of it or raise the VPN server there). Recently, I caught the eye of a good article Your VPN-server: pros, cons and instructions (user samat ). There is a list of projects, scripts, with which you can from scratch to raise the VPN-server. It is so simple (actually launching one command) that you can even write about it here, and not on Habré. But in any case, the continuation of the logical write in the same place where the beginning.
Having tried one VPN service, the link to which I gave last time (for the promo), I was not thrilled. Brakes. Servers are common and are very overloaded. And torrents generally do not support all. Yes, there are VPN services that provide dedicated servers. But the price tag is much higher there. Obviously, it should be more expensive than raising the server itself. Therefore, I decided to deploy my server. Fortunately, this has become trivial with such scripts. I once did it manually with OpenVPN in AWS, but that was a long time ago, on Windows, and on Free Tier (not an option due to traffic restrictions).
The question of choosing between the VPN service and our own VPN server will be left at another time.
But first you had to choose a hosting. The same article mentioned the Scaleway service for $ 3 per month. Just buying the price, I started with it. This is not an advertisement, I have nothing with it. Let me remind the search engine cheap VPS - lowendstock.com.
For these 3 $ we have 2 x86 kernels, 2GB, 50GB and unlimited traffic. It looks like a fairy tale. The truth is that right at the time of writing the post, these machines were temporarily unavailable: "VC1S servers are temporary out of stock".
I did not try all three scripts, I took hwdsl2 / setup-ipsec-vpn (uses Libreswan / xl2tpd for IPsec / L2TP, Cisco IPsec VPN, IKEv2). Works like a magic.
After 2 minutes, you have your own VPN server, to which you can connect using the built-in Windows tools (as well as all other operating systems), you don’t need any OpenVPN. Those who need OpenVPN can recommend another script - https://github.com/Nyr/openvpn-install (similarly, one command and several interactive questions). The choice between OpenVPN and IPsec and IKEv2 is a separate big topic.
Of the main differences, it is worth noting that IPsec / IKEv2 only work through two UDP ports 500 and 4500, whereas OpenVPN on any port, you can choose UDP or TCP and the fact that IPsec / IKEv2 clients are built into most OSs. A good post on the topic - VPN everywhere and everywhere: IPsec without L2TP with strongSwan (but there is about strongSwan, not Libreswan, but still interesting).
Important: the hwdsl2 / setup-ipsec-vpn script (ie, Libreswan) does not work with OpenVZ, only KVM / Xen (other implementations may work) - this is important when choosing a VPS!
If you use the Scaleway + hwdsl2 / setup-ipsec-vpn bundle, then you should keep in mind that the Linux kernel, which will be the default on the machine (it’s their own, modified) is not compatible with IPSec. It must be changed. Fortunately, this can be done directly in the Web interface (you should choose 4.8 instead of 4.4):
Then I remembered that I actually have an Azure MSDN subscription and what will I spend $ 3 for when it is free.
Repeated procedure in Azure. At that moment, by the way, I understood why nobody uses Azur for virtual machines. Well, you just need to compare the usability of creating virtual machines on Azure and other services. Example: I filled in the machine template in Azure, immediately set up the firewall rules — for Libreswan / IPSec, you need to open two ports 500 and 4500. Azure requires you to enter the priority of the rule, I entered 100 for both of them. Everything is preserved. Launched deployment. He fell. Why? And because it is impossible for the rules to set the same priority. No words. Ok, I want to fix and restart. But that master is no longer there. Now you need to go into the json-template and edit there. In general, you can use it only for free, or on the need.
But I digress. In general, earned a VPN server on Azure. I am pleased, now I have two VPNs: one in Amsterdam, the other in Dublin. Cool. But not really. Ping for Scaleway-Amsterdam-based - 50ms, ping for Azure-Dublin-based - 60ms. Sadness
Question to connoisseurs: 50-60 ms - is this normal for an IPSec VPN server in Europe?
For comparison on OpenVPN to the same machine in Azure (Dublin) ping 68ms.
In fact, it was all a long-running entry.
Getting to the point
Checked how to download torrents via VPN in Azure - 7 Mb / s. Well, great.
DISCLAIMER: I certainly didn’t download the movie, I tried it cleanly, I didn’t download it and I deleted it. Well, you understand.
A day later, a letter comes from the Microsoft Azure Safeguards Team that I violated the Digital Millennium Copyright Act , because My server (its address) received a complaint from the Paramount agent.
Letter to read:
Action Required: Digital Millennium Copyright Act (DMCA) Violation
Microsoft Azure Safeguards Team Report on the Digital Millennium Report for your copyright infringement. Attached is a copy of the original complaint. Microsoft’s Azure Acceptance Policy.
This is a copyright law infringement violates the use of the law. You are responsible for addressing your Microsoft Azure deployment. It can be found at azure.microsoft.com/en-us/support/legal .
Please take the following steps to resolve this notice:
If you’re doing so, you can’t get it.
· If you are disputing that you have been a valid copyright, please contact us. Consult the DMCA's requirements for counter notices included below.
· Have you got any questions?
Thank you,
Microsoft Azure Safeguards Team
Cyber ​​Defense Operations Center
In the attachment itself is a complaint. Complaining agent Paramount Pictures.
Those. Someone Adrian from the IP-Echelon office, an agent of Paramount Pictures from Hollywood, Los Angeles USA, sent a message to someone saying that from the specified IP address owned by Azure, someone distributed files with video content exclusively owned by Paramount.
In the comments, I suggest sharing my experience. Has anyone encountered similar services on other services?
UPDATE 1
Yes, Microsoft, an American company that will comply with American laws (DMCA), even if the server is located in Europe. But in Europe there are similar laws. Those. The choice of hosting was initially wrong. But the point of the article is to attract attention when choosing a VPN not only to technical aspects, but legislative ones.
As already noted last time, the mere fact of turning on a VPN on a machine does not guarantee privacy. There are a lot of messages when people downloaded torrents from a VPN and received voices from an ISP (not in the Russian Federation, we still don’t have one), for example: one , two .
Here is an interesting list of VPN providers "which Take Your Anonymity Seriously":
https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/ . But we must remember that it is impossible to verify “we do not log anything”. Here is an interesting post on the topic - Don't use VPN services .
UPDATE 2
The following offer from Jeditobe user:
Friends, I remind you of the wonderful idea of ​​blacklists of IP addresses of copirast.
- habrahabr.ru/post/92055
- www.iblocklist.com/list.php?list=ijfqtofzixtwayqovmxn
- microsin.net/adminstuff/security/peerblock.html
UPDATE 3: conclusions
The conclusions can be made the following (besides the fact that "only morons download torrents via Azure"):
- spying on torrents is a reality, and while we were judging the "idle" saytik, "there" everything is already working and automated;
- disabling DHT in client torrent settings, assuming the use of a private tracker helps (at least against similar surveillance, since it is apparently implemented through DHT);
- presentations from copywriting agents are a real bunt for ordinary users in the countries of the victorious democracy;
- the threat of retribution for torrents in the Russian Federation is still more theoretically, whereas “there” is quite practical (therefore the conclusion “what to do to an ordinary person” is not so obvious);
- when choosing a hosting for torrents, in addition to technical issues (traffic / TTX machines), you need to pay attention to the country of location (and not only from the point of view of ping);
- VPN services in this regard have an advantage over VPS, since they have formal grounds for not responding to copywriting abuses (“we do not have logs”), but the question of trust in VPN services remains;
- When choosing a hosting provider for a VPS, you should pay attention to providing ready-made images of machines with software for torrents (i.e., to download torrents remotely via a web interface) - often such machines are called seedbox. Usually there are a bunch of rTorrent and ruTorrent. All this can be customized by yourself, of course (see an example of a tutorial ). But the fact that the hosting provider offers images for torrents, most likely means that claims for copyright and other millennium acts will not arise. And maybe it will. In the Scaleway already mentioned, there is an image of Torrents (with the rutorrent / rTorrent), while it is clearly written that they comply with the DMCA and European counterparts (although in fact there were no complaints from them, although there are reasons for that);
Thanks to the user Vilgelm , who mentioned Plex - plex.tv , in connection with the seedbox. This is a very cool media server. There is under all platforms. If you have a NAS, then generally mast. I have a QNAP NAS and, in comparison with their native Video Station, this is heaven and earth. Accordingly, if we have a VPS in the cloud, then we put a Plex on it and watch movies from it through a convenient shell or mobile application (for viewing from mobile applications, they really want $ 5 per activation, but it works fine through the browser).
Since I myself was not aware, then I will allow myself to recommend to everyone who have not heard of the Plex, to look at it.
Source: https://habr.com/ru/post/401039/
All Articles