Completely anonymous VPS
- Thread starter D. Strout
- Start date
The problem with virtual credit cards from what I've seen is the extensive verification they do on the user anyways. If the virtual credit company gets pressured into releasing details or got hacked the safety of the user identities would be gone.
In some cases having a level of anonymity can help in non illegal activities such as leaking pictures of a new device you want and specs without fear of Microsoft rooting through your stuff (Linky) or ferociously tracking the spoiler down.
That doesn't make much sense. I want to be anonymous to pretty much everyone. If I buy beer, I'm not going to do anything dodgy with it (like drink and drive), but I don't want identifiable records kept of the transaction so someone can track my drinking preferences or keep the info on file in case the Taliban takes over the US and goes after beer drinkers. I don't go to those bars where they scan your drivers license at the entrance. If I buy a newspaper I don't want a record of that either. Anything interesting content in it is going to be disfavored by someone or other, so I don't need them knowing that I bought the paper. There's not much potential for a buyer abusing a newspaper, so the abuse potential on the seller side predominates the issue.
For VPS there's substantial enough abuse potential on the buyer side (e.g. spam) that sellers generally don't want to deal with anonymous buyers and the tradeoff changes. I can understand this and go along with it, and I like the budget VPS industry since 1) they tend to have some clue about privacy, and 2) they're too overworked keeping their stuff running to spend much effort on abusing the info they have available. If Google offered free VPS I wouldn't use them since they have the resources and mindset to abuse any info they can touch. There are certainly non-dodgy uses of VPS where anonymity is important: for example, maybe you have a blog where you write about controversial ideas (such as privacy). There are still ways to do that but it's not as convenient as it would be in a more ideal world.
I notice that VPN services seem a bit more anonymity friendly than VPS, maybe because of lower abuse potential on the buyer side, or maybe because a high enough fraction of VPN users want anonymity that hosts don't want to pass up the business. That may also be reflected in the higher costs of VPN services vs. running a VPN on your own VPS.
Anyway if you're doing something dodgy that's likely to get noticed (e.g. spamming) then anonymity won't help much, the VPS will get shut down either way.
Last edited by a moderator:
drmike
100% Tier-1 Gogent
DigitalOcean, really? They are requesting ID docs? Under what conditions/terms/etc.?
If so, I am promptly cancelling all services I have with them.
Aldryic C'boas
The Pony
If you don't trust your provider, why would they ever trust you?
I deal with this pretty frequently, people trying to sign up under anonymous or falsified information ("Fake Name Generators" aren't as reliable as you think against experienced auditors). Tons of excuses; Some providers are sketchy / I don't want my info leaked / I'm really just ordering for a friend... I've probably heard them all by now.
It all boils down to doing your research before choosing a provider. If you want your data to be as safe as it can, don't want to worry about how many
Security, safety, and privacy are reasonable expectations and precautions; values I think everyone should strive for. Anonymity is NOT these things - it is a lack of personal responsibility. The GIFT is never so obvious as when you give an Anon resources they can abuse. Is being anonymous that important to you? Go FUBAR someone else's gear - we have legitimate clients to protect.
^ I'm glad to see this knowing I'm not the only one. We carte blanche refuse customers who don't provide correct info and try and use VPNs or proxies. As you said, if you don't trust your provide why would they trust you.
I have one customer who shall remain nameless but despite having all their information, and getting pressure from our upstream and the UK government I gave nothing away and refused to remove them. I'll do that for a legitimate, honest customer. If you want to try and hoodwink me I'll give you up in a heartbeat without a second thought.
Respect and honesty goes both ways. I like Aldryics advice; don't deal with shady hosts and you'll be fine.
I have one customer who shall remain nameless but despite having all their information, and getting pressure from our upstream and the UK government I gave nothing away and refused to remove them. I'll do that for a legitimate, honest customer. If you want to try and hoodwink me I'll give you up in a heartbeat without a second thought.
Respect and honesty goes both ways. I like Aldryics advice; don't deal with shady hosts and you'll be fine.
drmike
100% Tier-1 Gogent
Damn it Ald!
"If you don't trust your provider, why would they ever trust you?"
I fully agree with such. That's why the companies I maintain service with has gone way way down. Has made me question why I even need things out there online in the big picture. Where can I forego such...?
Now getting to this trust factor, I've long been at this and related professional services.... I've seen folks do good and next week go on a bender where their business was useless. Same concept applies to trust, privacy, related.
So, yes, this is the big see-saw or hinge point for providers:
A host that's anal about who they let on their network is a host that's taking care not to compromise a node's worth of clients by letting one asshole one rampant.
^--- I just had a small discussion with a provider about customers yipping about proactive monitoring - complaining when snagged by such and others complaining that such should be even more limiting to prevent mass casualties on a server.
That's the big picture, risk exposure of shared resources.
In business, a company makes decisions based on sales, quotas, forecasting. Similarly and often underlying is the amount of risk they will assume. Each business should suit the ownership and their tolerances (it's their ugly baby).
Now bigger picture, we have special isolation points with a VPS: raw CPU abuse, bandwidth abuse, spam/network behavior abuse, high disk IO.
The disk IO and CPU are the biggies on VPS and origin of most problems. So proper monitoring and container crusher to keep people in the boundaries, is priceless.
BW + Spam + Network behavior abuse, these apply to MOST services - not unique to VPS. Again, requires automation, monitoring and proactivity.
Bigger picture, look at the VPN market (oh you provide VPS instances those companies burn)
... The real companies out there manage the balance between private-like services and managing risk and/or abuse.
I find the provider side of this, well, an art form.
"If you don't trust your provider, why would they ever trust you?"
I fully agree with such. That's why the companies I maintain service with has gone way way down. Has made me question why I even need things out there online in the big picture. Where can I forego such...?
Now getting to this trust factor, I've long been at this and related professional services.... I've seen folks do good and next week go on a bender where their business was useless. Same concept applies to trust, privacy, related.
So, yes, this is the big see-saw or hinge point for providers:
A host that's anal about who they let on their network is a host that's taking care not to compromise a node's worth of clients by letting one asshole one rampant.
^--- I just had a small discussion with a provider about customers yipping about proactive monitoring - complaining when snagged by such and others complaining that such should be even more limiting to prevent mass casualties on a server.
That's the big picture, risk exposure of shared resources.
In business, a company makes decisions based on sales, quotas, forecasting. Similarly and often underlying is the amount of risk they will assume. Each business should suit the ownership and their tolerances (it's their ugly baby).
Now bigger picture, we have special isolation points with a VPS: raw CPU abuse, bandwidth abuse, spam/network behavior abuse, high disk IO.
The disk IO and CPU are the biggies on VPS and origin of most problems. So proper monitoring and container crusher to keep people in the boundaries, is priceless.
BW + Spam + Network behavior abuse, these apply to MOST services - not unique to VPS. Again, requires automation, monitoring and proactivity.
Bigger picture, look at the VPN market (oh you provide VPS instances those companies burn)
... The real companies out there manage the balance between private-like services and managing risk and/or abuse.I find the provider side of this, well, an art form.
Last edited by a moderator:
I pay via PayPal and use a legitimate, real, PO Box as my address when signing up for new services and domains. The PO Box is like $60 year and ensures that (god forbid) there was a WHMCS leak, my physical address could not be determined. Also I won't enter card details for any provider directly, so even paying with a card payments are processed via PayPal. I don't really have any privacy or security concerns this way because I sign up with hosts that I trust.
<shrugs>
<shrugs>
drmike
100% Tier-1 Gogent
This stood out too
Let me fine tune it.Point: VPS market is many providers who have customers. Those customers are a basket of non-business folks. Most are leisure/fun/mischief.
This point about protecting clients, yeah, companies ought to have business customers, know such and be proud of such. That's a market differentiator and sustainable. Direction to go unless you like swapping deck chairs on the VPS Titantic as unloyal consumers trade their hobby VPS for the one that is $1 less.
drmike
100% Tier-1 Gogent
Lots of leaks, not just WHMCS. Points of data on an account can yield all sorts of oh shit info. Considering the propensity of segment of the audience to SWAT folks, I'd say having non-info as your info is just plain sensible.
PO Box info, yeah, it keeps the casual PITA away, but fully able to get your info from the government without any credentials or legal order... Just saying.
Meh. Gubberment knows where I live anyway, because I pay utility bills in my name, have a drivers license, license to carry handgun, vehicle registration, have mail delivered to my home, etc, etc. I'm not concerned with that, they know where I live. Unless the big lady behind the counter at the BMV is some LET skid, I'm not concerned. My only concern is some skids testing newly released exploits on systems that may have my personal data on it from providers who weren't fast enough to patch.
I would never willingly accept an order, as a provider, from anyone using falsified information. The seems like a haven for abuse or having neighbors on the same server that probably lack some sort of moral fiber and would be abusing the service.
I know there are providers who'll accept any ol' order, but they're not providers I'd want to actually use.
Last edited by a moderator:
DomainBop
Dormant VPSB Pathogen
The rDNS of the IP address on my everyday VPN is a domain my company owns, the WHOIS is public, and I'm listed as the domain contact so I'm less anonymous than a non-VPN user who is using a home cable connection.
drmike
100% Tier-1 Gogent
The matter isn't truly being invisible to government. In theory they have access to the pipes to and fro and by design, so navigating around those landmines takes quite a bit of additional effort.
All those points of data you freely put out there, those are problems. As bad as skid operators are, government isn't very much better.
An example, I think it was State of New York, that published data of name and address of every "REGISTERED" gun owner. 1. Why is government collecting said info? 2. Why is such information public? Anything government has or gets, expect for them to be selling/trading/giving to corporations and data aggregation companies. All of that can and will be used for profiling and doing less than benefical things to you, eventually.
My only concern is some skids testing newly released exploits on systems that may have my personal data on it from providers who weren't fast enough to patch.
Explain what you mean - like WHMCS hack where you are customer, right?
See I go further than that. I want to know a company is either two partners investing their life (or small limited number of partners busting tail) or that they are a real company with real employees and policies. Hard to say real company and privacy in the same breath as people get outted for outsourcing to people living in countries where the long arms of justice can't reach them. Seen quite a few former employee data releases.
1. Trust is not binary and it is not transitive. VPS hosts trust their clients to not commit rampant abuse of the VPS itself, but they don't give out the root keys to the host node. Clients similarly trust the host to not run off with their 7 bucks but they shouldn't put highly sensitive info (payment instruments, PGP signing keys) onto the VPS. So in both directions there is neither complete distrust nor complete trust. Where does disclosure of one's personal info fit on that scale of intermediate trust? It will vary from person to person. I don't mind a VPS host having the info but I was upset to find out that they were then turning the info over to ARIN for ipv4 justification. My requests to buy ipv6 VPS with no ipv4 to avoid this disclosure have mostly gone unanswered.
2. Any host that offers services to resellers generally already will not know who is using their network. Yet they do it anyway. So the idea that hosts need the info is unconvincing. As long as abusers get booted pretty quickly that seems to be all anyone expects. (Good example by Drmike: VPN hosts actually operating on other companies' VPS. I forgot about that).
3. Overuse of local machine resources (CPU/disk) seems easy to mitigate with automatic monitoring/throttling and have little long term effect if it doesn't happen too often. I'm surprised that it's a significant issue compared to network abuse. People (like me) wanting to engage in 24/7 CPU saturation figure out pretty quickly that dedicated servers are the way to do it. There's no problem getting unlimited CPU resources anonymously (buy a PC with cash and use it at home). Main purpose of a dedi for me is to get the noisy thing out of the house.
2. Any host that offers services to resellers generally already will not know who is using their network. Yet they do it anyway. So the idea that hosts need the info is unconvincing. As long as abusers get booted pretty quickly that seems to be all anyone expects. (Good example by Drmike: VPN hosts actually operating on other companies' VPS. I forgot about that).
3. Overuse of local machine resources (CPU/disk) seems easy to mitigate with automatic monitoring/throttling and have little long term effect if it doesn't happen too often. I'm surprised that it's a significant issue compared to network abuse. People (like me) wanting to engage in 24/7 CPU saturation figure out pretty quickly that dedicated servers are the way to do it. There's no problem getting unlimited CPU resources anonymously (buy a PC with cash and use it at home). Main purpose of a dedi for me is to get the noisy thing out of the house.
Last edited by a moderator:
drmike
100% Tier-1 Gogent
Well @willie, I agreed with your points and good to see a like mindset.
The ARIN disclosure by providers, of your personal information (name, address, city, state, zipcode, phone? email, IPs issued) - it turns out is 'normal' ARIN shakedown and their rules don't explicitly say/require such. But this practice of forcing the info out of providers is and has been norm for a while, supposedly.
I only became aware of this issue this year. I expect disclosure when and where such is said by the provider, and not in vague BS clauses under partners and legal compliances. ARIN is neither a partner nor are they the government or a court.
Handing info over even for a single IP is highly problematic and I think wrong and perhaps illegal if someone takes the matter to a court.
ARIN also explicitly says they aren't liable for any disclosures of your private corporate info (which would include said data).
A movement for IPV6 only services, yeah it sure is making lots of sense to me now.
nunim
VPS Junkie
I can't believe that no one has mentioned that we've already had this topic, didn't it seem familiar to anyone else?
PayPal now accepts prepaid card as well.
[Edit] I'd also like to point out the fact that as long you're not hiding from the US intelligence community (or "special relationship" countries I suppose, depending on how important you are), it's fairly easy to be anonymous on the internet if you don't get sloppy, i.e. always use an outside line.
My point from the last topic still rings true, the hardest part of being anonymous is not betraying yourself via writing style (which I'm still unsure how to effectively combat aside from a group personal).
PayPal now accepts prepaid card as well.
[Edit] I'd also like to point out the fact that as long you're not hiding from the US intelligence community (or "special relationship" countries I suppose, depending on how important you are), it's fairly easy to be anonymous on the internet if you don't get sloppy, i.e. always use an outside line.
My point from the last topic still rings true, the hardest part of being anonymous is not betraying yourself via writing style (which I'm still unsure how to effectively combat aside from a group personal).
Last edited by a moderator:
DomainBop
Dormant VPSB Pathogen
There is that, but you have to figure that if the info for a single IP exists at all, it is accessible to someone who wants it enough. More bothersome is the idea that there's a consolidated database someplace saying who is using essentially every IP address with a VPS address behind it. It's a good bet that the US Gummint and other such entities have gotten their hands on copies. I wonder if the situation in Europe is any different (RIPE has been exhausted for a while). I need another dedi and am thinking of going to Hetzner in part because their midrange machines have more disk space than OVH's. The IP disclosures may be another reason.
The second you google for the tor client the whole world knows you're interested in tor.
If you do something bad all it takes to track you down is finding your VPS, easy enough nowdays with digital fingerprinting tech, then finding the card used, then finding where it was purchased. Pulling video camera feeds to get your mugshot, pulling traffic camera footage to grab your license plate or follow your bus etc back to your house and then send the FBI to bust down your door. The only reason these guys dont get picked up faster is that they're already tracking you and just building a solid case to ensure you do go to jail, not that they cant find you. Scary right lol
Retail stores are working with facial recog tech to identify and track cash customers as well. Might not be taking pictures of your eyeballs everywhere, but we are very much the minority report advertising world now. Soon if you walk too fast to the shitter in public you'll get text messages with coupons for immodium, or if they see that your leg is broken, an aflac commercial will pop into your facebook feed.
If you do something bad all it takes to track you down is finding your VPS, easy enough nowdays with digital fingerprinting tech, then finding the card used, then finding where it was purchased. Pulling video camera feeds to get your mugshot, pulling traffic camera footage to grab your license plate or follow your bus etc back to your house and then send the FBI to bust down your door. The only reason these guys dont get picked up faster is that they're already tracking you and just building a solid case to ensure you do go to jail, not that they cant find you. Scary right
lolRetail stores are working with facial recog tech to identify and track cash customers as well. Might not be taking pictures of your eyeballs everywhere, but we are very much the minority report advertising world now. Soon if you walk too fast to the shitter in public you'll get text messages with coupons for immodium, or if they see that your leg is broken, an aflac commercial will pop into your facebook feed.
It is pretty obvious that any provider would ask for some Legal Verifiable document to check its genuineness.
If you show them random proof i am sure they will do it themselves.