Huge Security Flaw Makes VPNs Useless for BitTorrent

Ernesto
June 17, 2010
179
IPREDATOR,
ipv6,
pptp,
relakks
Print

Millions of BitTorrent users who have chosen to hide their identities through a VPN service may not be as anonymous as they would like to be. Due to a huge security flaw, those who use IPv6 in combination with a PPTP-based VPN such as Ipredator are broadcasting information linking to their real IP-address on BitTorrent.

As pressure from anti-piracy outfits on governments to implement stricter copyright laws increases, millions of file-sharers have decided to protect their privacy by going anonymous. In Sweden alone an estimated 500,000 Internet subscribers are hiding their identities. Many of these use PPTP-based VPNs such as The Pirate Bay’s Ipredator or Relakks.

Thus far, these services were believed to adequately hide a user’s IP-address from people they connect to in BitTorrent swarms, but this is not always the case. At the Telecomix Cipher conference a security flaw was revealed that allows third parties to find the true IP-address of someone connected through a VPN.

The security risk is caused by a lethal combination of IPv6 and PPTP-based VPN services, which are very common. IPv6 is the Internet protocol that will succeed IPv4. The protocol is promoted by Windows 7 and Vista, among others, and most people are using it without even realizing it.

The technical details of the vulnerability, explained in this talk (see below), reveal that the true IP-address of users using IPv6 can be easily traced. Even worse, it seems that the Swedish Anti-piracy Bureau may already be using this flaw to gather data on ‘anonymous’ BitTorrent users.

The vulnerability is not limited to BitTorrent either. It can expose people who believe that they are hiding their real IP-address through nearly every connection.

In addition to this gaping hole in VPNs such as Ipredator and Relakks, the talk exposes several other weaknesses from a privacy point of view. Among other things, it is fairly easy to find MAC-addresses and computer names of people who use the same VPN.

The people who run Ipredator are aware of the issue, and TorrentFreak was informed that their users will be notified about the problem. Other VPNs using the same system may want to do the same. From our understanding of the issue, turning IPv6 off should alleviate the threat and make users fully anonymous again.

Talk starts at 2:17:30, BitTorrent part at 2:30:00

Previous Post | Next Post

Follow @torrentfreak

LOL

I think half of the readers are running around yelling “OH FUCK FUCK ” and burning their hardrives while looking at their street behind their blinds…

Or at least i’d like to think they are.
OTOH

Or, use OpenVPN instead of PPTP VPN.
Anonymous

Oh boy outdated tunneling protocol.
PlumpSamurai

How do you turn off ipV6 on windows 7?
dc!

And that much for supercool IPv6. I don’t smell conspiracy here, but maybe I am…
Anonymous

So do this mean that if you are using a version of Linux such as Unbuntu 10 lucid (An Awesome OS by the way) or window XP/2K you are safe?

My Advice: Get ride of windows vista & 7 roll back to XP or use Unbuntu.
Anonymous

PPTP fail.
fromChattanooga

Now you just need to write an article telling idiots that Peerguardian doesn’t hide your identity, either.
- http://neuron2neuron.blogspot.com Ben Jones
  
  @ fromChattanooga
  
  Now you just need to write an article telling idiots that Peerguardian doesn’t hide your identity, either.
  
  Our researcher is working on something to that effect at the moment.
Anonymous

OpenVPN. What else ?
Anonymous

http://tutorials-tips-tricks.info/disable-and-turn-off-ipv6-in-windows/
Andy

does this affect BT guard, or am i safe?
Andy

does this affect BT guard, or am i safe? i dont think it does, Bt guard is a proxy, not VPN
cdcase

en worse, it seems that the Swedish Anti-piracy Bureau may already be using this flaw to gather data on ‘anonymous’ BitTorrent users.

What does that mean more infomation please

does this mean that all vpn is this a fundamental with ipv6 that or can it be fixed with a update or what?
anonymous

so what can the suppliers of vpn services do and are they prepared to do anything anyway?
Anonymous

Those of us with half a brain that have been repeatedly saying in comments that VPN is not the be all, end all of safety that so many TF readers seem to think it is – only to be repeatedly scoffed at – are laughing our asses off right now.
Afficianado

The protocol is promoted by Windows 7 and Vista

and there’s your problem.

Embrace Linux
hmm

go to command prompt in xp, type ipv6 uninstall
cdcase

13 not much i guess they can do expect change protocol the service runs on or when you sign up the the provider can make a start up program that can disable ipv6
John

@15

from ubuntu 8.10 on it has become harder to turn off ipv6

at least in 8.10 it is do-able with out a kernel recompile … after that in ubuntu 9 + it requires a custom kernel …period!

ipv6 is the industry standard for we are spying on you made easy! As in, very few firewalls have FULL ipv6 support, if any!

cheers
noobage

I use OpenVPN which uses SSL. I disable IPv6.

Also you need to prevent “DNS leakage” for IPv4. Usually your DNS is set to auto obtained, set it to a defined DNS that is secure such as OpenDNS.
noobage

Here is the instruction to change your dns to OpenDNS: https://store.opendns.com/setup/computer/
Beavis and Butthead

PPTP for my Bunghole!!

huh huh huhhh.. he said hole.
Afficianado

>John:

@15

from ubuntu 8.10 on it has become harder to turn off ipv6

at least in 8.10 it is do-able with out a kernel recompile … after that in ubuntu 9 + it requires a custom kernel …period!

ipv6 is the industry standard for we are spying on you made easy! As in, very few firewalls have FULL ipv6 support, if any!

cheers

Sorry John, I was trying a bit of irony there!
duane

@18 John

WTF are you talking about? This works for me:

sudo su -
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
John

@23
just tried that on a new ubuntu 10.4 install – all i get is a false sense of security …as in an unknown scope and an awesome wide netmask of 0.0.0.0
Anonymous

this really isn’t news. pptp has always been reguarded as more than a little sketchy when it comes to anonimity/security. don’t bash vpn bash microsofts crappy implementation.

i use open vpn which is what everybody should be using. it almost as fast and a million times more secure. the only reason pptp is still around is the fact that these crap vpn providers don’t have to anything to configure their servers using pptp, windows configures everything for them. so any idiot can rent some bandwidth and sell a vpn service.

kinda a misleading headline though, only when you get to the end of the article do it mention that the security flaw is not bt specific but a general flaw related to the protocol.

at least now this pptp crap will finally disapear.
133t

getting a cheap shell a/c and setting up up socks 5 proxy is a no brainier, for BT or for surfing , i don’t know why ppl belive in vpns !!
Anonymous

“Now you just need to write an article telling idiots that Peerguardian doesn’t hide your identity, either.”

Everybody know what Peerguardian does and it’s working. Everybody know that it does not hide your ID but help keep the parasites away from your system.
rikhard

@18 dude what are you talking about?

just put net.ipv6.conf.all.disable_ipv6=1 into /etc/sysctl.conf or into a file within /etc/sysctl.d/
Anonymous

Good thing I’m still using IPv4.
Rabbit80

Windows Vista / 7 Users…

Click your “Start” button and type “network connections” , press enter.

You will see all your network adapters listed (including your VPN)

Right click one of them and choose properties. Untick the “Internet Protocol Version 6 (TCP/IPv6)”

Click OK.

Do the same with all your adapters then reboot.

Question for TF….

Would simply disabling IPv6 for the VPN suffice?
SomeIdiot

Geeez, why so paranoid? Use a seedbox/dedi and save your home resources and the need for a VPN..
Ninja

LoL. Amusing. I never tried to hide though so it doesn’t affect me. But #1 is right, half of the readers probably started running around their rooms asking “OH FUCK WHAT AM I GONNA DO?” and many HDDs flew off the windows lmao.

maybe those vpns will evolve and stop using the buggy/untrustworthy pptp thing.
Anonymous

The problem with BT is that even if you see the IP address of someone on it does not necessary mean that this IP address was actually using BT. It could be one of these random addresses generated by a tracker.

So this type of evidences does not weigh much with BT anyway.
Anonymous

pptp is crap, why are people still using it. use open VPN
Gavin

Was’nt me! Must of been my naboure using my unsecured wifi.

On no I mean, what’s WiFi, and don’t know if my wifi is scured?
cdcase

Could someone explain this to me? I thought most vpns such as Ipredator and Relakks use ssl encryption so how do they see anything?
rikhard

they should use IPsec or openvpn, i simply don’t know why Ipredator is using a m$ protocol!!!
Shellfish

Remember if you are using the internet your are never anonymous. Some of you VPN users forgot that.
Chris

So does this affect macs?
deeb

Anyone know if VyprVPN is PPTP-based?
Anonymous

@34

read #25 for your answer
Anonymous

@37

yes it is
John (2)

Hm, seems like people are a little confused about what IPv6 is..

Usually you can’t just ‘turn it off’. Your ISP either assigns you one or it doesn’t. In France IPv6 is very popular. In the UK, it’s very rare. You’d need to go out of your way and set up an IPv6 tunnel broker to get one.

Anyway, PPTP does work with IPv6. It’s not a huge security hole – it’s just that some VPN providers aren’t IPv6 compatible, and just tunnel (encapsulate) the IPv6 packets in their IPv4 address rather than stripping the IPv6 like a good proxy/VPN should. That’s what services like ViperVPN or whatever do. They’re both a proxy and a VPN.

tl;dr + summery:

1) This has nothing to do with PPTP. If PPTP wasn’t working, it would never be routed in the first place (ie, you’d have no internet connection). It’s a problem with certain providers ability to strip the IPv6 layer.

2) Thus, it’s an easy fix

3) You should be more concerned that you’re giving these companies your internet activity history! Set up your own Virtual Private Server for $7 a month and install your own VPN endpoint and SOCKS server. Then you could use L2TP and IPsec instead of PPTP, and be safer in the knowledge that it’s very unlikely anyone is monitoring/intercepting your data.
If you want to be sure, a dedicated server will set you back only £50 a month, and you can secure it up ’till your hearts content.

‘Corse the server’s outgoing IP is still registered to your name… so it doesn’t make it all that better. Perhaps there are companies which will do dedicated hosting without taking too much information from you… but I can’t imagine there are :(
John

@32

you know if i took all the packet data running through wireshark on my “unsecured” wifi access point and put it back together in the correct order …

i could probable watch /listen to a lot of good movies / music

not to mention the password username harvest from idiots who don’t understand the difference between http & https

and what really makes me laugh are the ones who try to access their network shares

stupid users
anonymous

Haha i knew VPN wasn’t as safe and secure as everyone thought! Every written protocol or services can always find flaws that depletes the purpose of that service. I am glad i never wasted my time or money on VPN. Bit torrent is going down slowly we need a new File-sharing technology that fixes all Bit torrent flaws! –not looking good..
WOWSIMPLYWOW

HOLY CRAPOLO
Egg

How to fix flaw for windows vista
?
VPN

BOLLOX, time to change to a seedbox!
Kaptain Krunch

I use a VPN service. But my purpose for doing so is to encrypt my internet connection while using unprotected open wifi at hotels three to for night out of the week.
Worried

What’s the best VPN service based on OpenVPN?
Kaptain Krunch

By the way, time for Microsoft to be notified so as to issue another Tuesday security patch!
usenet’er

A recent research paper from Inria in France demonstrated that it is NOT POSSIBLE to anonymize BitTorrent (on the TOR anonymous network in particular) because clients like uTorrent transmit the user’s real IP address directly to both the tracker and to the DHT network.

https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea

http://www.slyck.com/story1952_Surprise_Youre_Not_Anonymous_on_BitTorrent

Socks proxies and VPNs are thought to be equally insecure for Bittorrent.
ohlol

Feels good using private torrent sites or just usenet. No need to faff about with VPN
Paul

This security hole is maybe a good new if it encourages VPNs providers to switch to OpenVPN instead of PTPP

@48
I don’t know if the risks the INRIA is talking about concerns VPS.
Pingback: VPNs becomes Useless for BitTorrent due to Huge Security Flaws « SYSTEMA
StevO

LOL @ all those ppl that were saying they werent worried about the hurt locker gargage. Welcome back!
qaq

Does it affect windows XP? I’m using PPTP
Bill Gates

PPTP was never designed as a secure anonymous method for accessing the internet, rather it is the simplest VPN solution for accessing your own already secured Microsoft networks remotely. Never was it considered that you would need to hide your remote identity from your own VPN, let alone a need to hide it from locations you may access remotely from within the VPN. The PPP-based authentication methods were simply never intended to do what many people are attempting using PPTP.

All available MPPE authentications used by PPTP are fundamentally insecure and the PPTP protocol itself does not employ any encryption or two-way differential ciphers found in more modern VPN packages.
qaq

My OpenVPN is too slow for BT
Jay

That’s why you use OpenVPN instead. BTW I have a server, if you need an OpenVPN I can sell you one for $2.50/month. Email me: esclek[at]gmail.com
Anonymous

OpenVPN is not too slow for Bittorrent…
Anonymous Is Good

@48: Interesting links. Is utorrent a security risk no matter the method your VPN uses? I went looking for an answer and found the following:

http://forum.utorrent.com/viewtopic.php?id=34674&p=4

This seems to contradict the findings you posted. Don’t know who to believe now…
Zowie WOods

Ut oh, that doesnt sounds very reassuring now does it.

feds-logging.at.tc
Pingback: === popurls.com === popular today
mack

At least ISP get no logs because of the encryption while VPN keeps no logs

So it’s not over yet! VPN still rules regardless of using PPTP or OpenVPN!
Anonymous Is Good

It looks like ipv6 can now be disabled in the newest beta version of utorrent.

As for ones true IP address being included in tracker handshakes despite use of a VPN, utorrent has an option that allows one to configure what IP or host name is reported, but I’m not sure this would work as it sounds like trackers can ignore this setting.
Old Timer…

MAC addressed are normally spoofed….sorry simple 10 second download of macmakeup changes your mac address…this is why WEP and mac address restrictions on WiFi are so bad.
Gargamel

Seedbox scrubs.
pea

You should use Anonymizer – they use L2TP/IPSec VPN.

http://www.anonymizer.com
Hazeldoughnut

@60

How is this true IP address obtained by the client?

If my multihomed torrent box is in two different LAN networks and does policy and ip routing through two different gateways, one of which pushes torrent traffic through a VPN tunnel. To my knowledge the torrent client can only know the LAN IP’s, gateway IP’s and maybe the public IP of the remote end of the VPN tunnel. Unless of course the client did a bunch of traceroutes and packet sniffing which would be scary.

MAC addresses and LAN IP’s are buseless for any MAFIAA spy.
Anonymous

After watching the video and trying some of the techniques myself (I’m a iPredator user), I’ve got to commend TF for bringing this to our attention, and criticize TF for the sensational title.

By all means turn off IPv6 in Microsoft products. The exploit depends on how Microsoft crams IPv6 through IPv4 in a world dominated by IPv4 hardware. The exploit is not a result of a defect in the IPv6 spec and wouldn’t be an issue if everyone was using IPv6 hardware. There’s also the question about whether or not other operating systems are vulnerable. The Microsoft IPv6 exploit was by far the most significant threat discussed and apparently is already being used by authorities.

The information revealed by nbtscan is interesting when using iPredator, but in most cases it would be difficult the use it to track down a particular user or organization.

I think the point here is that the goals of the conference are different than that of the typical bittorrent user. The conference attendees want perfect anonymity are actively researching promising algorithms and defects in current ones. The average BT user just needs the ISP logged IP/BT network IP link broken or at least difficult to correlate. A VPN not using Microsoft’s IPv6 is still the best way to accomplish this in any practical sense.
Firewalled

I have just recently changed VPN provider. they do use PPTP.
Unfortunately they do not have a firewall active on the exit node and I have been getting hit with unsolicited inbound, not really a problem, I just though it was from torrent clients that had been connected to another user who had the IP before me. However, after checking my firewall logs I am finding a lot of blocked inbound IPV6(encapsulation), again I did not think much of that until I noticed that the IP ranges where in very tight groups, and after seeing this on Torrentfreak, I now think I am being scanned, as windows would normally reply to these.
omfg

PPTP VPN outdated +
dont do Windows and ipv6
Chris

So is using ipv6 on a Mac effected or is this just a Microsoft problem?
U.S. Copyright Group

We’ve been recording these now for months. Many Hurt Locker downloaders were caught in spite of their VPN façade.
anonymous

I don’t understand to fix this flaw everyone is disabling ipv6, but what happens when ipv6 is standard vs ip4 in the future what happens then? You are all going to be screwed thats why a new anonymous bittorrent technology needs to be born soon!
Intuitionx2

Should windows7 users not “Disable IPv6 for tunnel adapter & interfaces” as well?

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters]
“DisabledComponents”=dword:ffffffff
Anonymous

What kind of horseshit misleading article is this? You shame other VPS protocols that are secure TF! Please change the article title to: “Huge Security Flaw Makes PPTP VPNs Useless for BitTorrent”.

I still think its laughable that VPN Services are able to get away with selling PPTP services for anonymity. If anyone did their research they would find out right away that PPTP is flawed and outdated.

OpenVPN FTW!!
Firewalled

PPTP is OK for what it was intended for, and that is for point to point tunnelling, it was never intended for one of the end points to be open ended.
Anyone using Vista/win7 just with the windows firewall should of changed the default firewall policies, as it is by default set up to allow various outbound/inbound IPV6 for Microsoft’s testing of the protocol.

I dont use bittorrent, I just use VPN to tunnel past my ISP which is currently blocking/proxy connections to RS and other file lockers.
Joe

Now this is news. Thanks TF.

Looking forward to follow up articles on the relative security of vpns, proxies & seedboxes.
Pirate & Proud../

So don’t use it. Stick with IPv4 and L2Psec.
Anonymous

I’m assuming that Ubuntu doesn;t use this IPv6 crap?

Linux wins again :D
steve

should have gone to itshidden.com

:)
Anonymous

“We’ve been recording these now for months. Many Hurt Locker downloaders were caught in spite of their VPN façade.”

Ya right! What a pack of liars these corporate parasites are!
Whatever

Strangely enough one of the advantages of of IPV6 is also a problem. There are enough addresses for each device on earth so NAT will become obsolete for connection sharing and disappears. Every device from then on will need its own software firewall/protection then.

However i don’t see why translating IPv6 to IPv4 should expose the real address. Doesn’t happen on IPv4 NAT in your modem/router. I can only guess #65 is right that its a M$ only problem (as usual) by sending non-requiered information.

@70 “what if ipv6 is standard”
Then you will have more problems than just VPN, as LANs turn into WAN (part of the internet). In the (far) future a frigde might need to be firewalled.

@”computer name and mac address”.
As long as you don’t have personal info there it shouldn’t be a problem. Mac addresses can be changed and a name functional. (VPN doesn’t help against stupidity like “doc&settings-REAL NAME-shared folder” or try to search for CV on some P2P network, except bittorrent obviously)
Anonymous

ahahaha you linux heads are why i switched back to windows. Linux has been using ipv6 for much longer than windows…
so

How this can be fixed when using windows 7 and ipredator?
Jim

Huge Security Flaw Makes VPNs Useless for BitTorrent IF YOU USE ipv6 just disable or uninstall ipv6 and no problems.
Jim

This is IPV6 problem. Just disable or uninstall ipv6 from ur windows or network and problem is fixed even u are using PPTP-based VPN
Jim

OpenVPN have also problems.

WARNING

Our software opens all ports on your system and bypasses your router.

Make sure you have a personal (local) firewall running while using our service.

The firewall your router provides WILL NOT protect you while you are using our service.
Jim

Use this guide to disabple and turn off ipv6 in windows

http://tutorials-tips-tricks.info/disable-and-turn-off-ipv6-in-windows/
Pingback: JonDonym News Center
TerribleTony

It’s still illegal for anyone to exploit the flaw.
UK

ISP’s in UK don’t use IPv6 yet.

@61

Don’t use trackers, DHT and PEX work perfectly without loss of bandwidth
Anonymous

The irony is that the current number of bittorrent users is at least 100 million. If the MPAA and RIAA went for a subscription model for $5/mo, that would represent 500 million a month in digital media alone (not counting all the non-bittorrent users who would join up).
Zarr

This is NOT a problem with IPv6 – it’s a problem with iPredator and VPN solutions. The VPN provider should also provide VPN functionality for IPv6.

I mean, if you are running IPv6 over IPv4 in plaintext (like is the norm until native IPv6 support takes over), then of course the IPv6 connections are done outside the VPN.

So get the VPN service providers to start handing out IPv6 service instead of complaining about the protocol – it’s working as designed.
Pingback: Fallo en las VPN para BitTorrent permite obtener la IP real del usuario | Bitelia
Blaster

Just use torrentprivacy and you should be fine.
Whatever

Addition:
#65 is now 70
#70 is now 75

But will probably change with the “you
‘re post is awaiting moderation system”

@TF why not make empty/skipped numbers ?
TECHGUY

NEVER USE A VPN WITHOUT USEING A PROXY AT THE SAME TIME, “IE” USE ANY VPN YOU LIKE BUT ONLY USE IT TO CONNECT TO A GOOD PROXY LIKE BTGUARD.
db

Disabling IPv6 on the network interfaces is not sufficient (or necessary). Teredo must be disabled. At mullvad.net we have released a client that does this: http://mullvad.net/en/news.php#n6 . Users of other services can do it by hand like this: http://mullvad.net/en/teredo_disable_win.php .
Q

Disabling ipv6 for this problem is like cutting down a tree in order to get a leaf. The VPN software is what needs to be fixed. I do admit that ipv6 disabling is a temporary solution but the blame should not be placed on it.

I laughed out loud at the guy that said embrace linux since it does not support ipv6. Yeah sure, lets purposely not support the most important change in internet history since its introduction due to a flaw in VPN software..
???

So much information that don’t know what really does fix this flaw. So some tech guys tell us users step by step best way disable this flaw in windows 7.
uzwiow

I do not use vpn. I am not afraid of getting caught because if some one comes knocking on my door he is going to taste some AK-47.
AA

Linux used to use the IPv6 protocol long before Windows. IPv6 is great, it’s the future of the Internet.

Anyway, who cares about which protocol is used; it isn’t the reason why this flaw exists.
TerribleTony

As I said earlier, any evidence that is gathered using this security flaw is inadmissable in court. It is a criminal (not civil!) offense to utilise security flaws in such a way, and any case built on this would be thrown out as soon as it came to light.
lol

lol linux..

k you have fun trying to figure out command lines for how to turn off IPV6 for 2 hours..

aaanndd.. done.

Windows 7 FTW. Its not the best and its certainly flawed, but f*ck if im going to waste hours trying to do simple tasks.
KeepIPv6on

Don’t turn off IPv6. Turn off the automatic tunneling stuff instead.

To selectively disable IPv6 components and configure behaviors for IPv6 in Windows Vista, create and configure the following registry value (DWORD type)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisabledComponents

Set it to 0×1

Other values:

Configuration combination DisabledComponents value
Disable all tunnel interfaces 0×1
Disable 6to4 0×2
Disable ISATAP 0×4
Disable Teredo 0×8
Disable Teredo and 6to4 0xA
Disable all LAN and PPP interfaces 0×10
Disable all LAN, PPP, and tunnel interfaces 0×11
Prefer IPv4 over IPv6 0×20
Disable IPv6 over all interfaces and prefer IPv4 to IPv6 0xFF

You must restart the computer for the changes to the DisabledComponents registry value to take effect.
Sanderman

This is wrong in so many ways:

1. Wow. People are still using PPTP? Start using a decent VPN protocol! Ah…But does Windows even support those?

2. Disabling IPv6 is silly and only a temporary solution. More ip addresses are desperately needed and it will be rolled out everywhere sooner or later. Better just to get things working properly with it.

3. VPNs are also a temporary solution. Eventually someone will receive lawsuits for infringement. If not the user then the provider. How will anonymous VPN providers survive if the laws are changed to favor the big corps? Better to use real anonymous networks on top of the internet, like TOR and I2P. I2P was developed with Bittorrent in mind.
hadopirate

IPv6 support is broken in OS Win 7, there is a kernel bug that fails uTorrent to close.
Peter

@ # 89
Quote :
“OpenVPN have also problems.
WARNING
Our software opens all ports on your system and bypasses your router.
Make sure you have a personal (local) firewall running while using our service.
The firewall your router provides WILL NOT protect you while you are using our service.”

You really don’t have a fucking clue, do you ?
HUGE-KING-FJONG

I NEVER USE IP V6, AND I DON’T USE VPN. I USE COMMON SENSE AND A PACKET BLOCKER AND BLOCK CERTAIN IP RANGE THAT ARE USELESS, SAME WITH TCP/UDP PORTS JUST BLOCK THE SHIT OUT OF THEM (MOST OF THE LOW PORTS UP TO 10000.
freenet

one more reason to use freenet
deeb

Nobody answered me :(

Is VyprVPN PPTP-based?
Pingback: MakinMo's Tech Blog
Anonymous

I followed the link “turning IPv6 off” in the article and found alternatives for a lot of browsers. Disabling IPv6 for Firefox was quite easy.
billiob

Or maybe you should use an OS that implements the RFC 3041 correctly.
Fatty112

usenet FTW !!!
Fatty112

http://www.supernews.com/?i=bH+KAyfJoY4=
Pingback: Sicherheitslücke macht VPN in BitTorrent-Netzen sinnlos | CyberGhost VPN
webbiker

#109: yes vyprVPN offer a PPPT server.

and here a great link about the most important VPN services in the world. it’s like a VPN comparator website with reviews about the providers.

http://en.start-vpn.com

you will see how Ipredator is an expensive service for only pptp servers and 1 IP localisation in sweden…
Cujo_

change your mac address ;)

http://www.technitium.com/
Anonymous

#6: Good idea! Instead of plugging one flaw that endangers your privacy under one specific circumstance, let’s just completely roll back our computers to earlier, less secure OS’s. “Ow! I shut my finger in a door and it really hurts!” “my advice is to cut your arm off at the shoulder. Then your finger won’t hurt!” :::eye roll:::
Ken

That doesn’t sound right at all! So basically what you’re saying is that an endpoint being able to map an IPv6 address to an IPv4 address is a flaw (which it isn’t)… The IPv6 address is effectively not hiding the IPv4 address very well. So your solution of disabling IPv6 and using ONLY IPv4 makes it easier for someone to see your IPv4 address because it is not masked by anything!

It’s exactly like putting blue transparent plastic over your car registration numbers and then declaring it a security risk because people can still read the numbers and then saying that removing the plastic will make you more secure.

Think of IPv6 like this:

You have a home telephone number of 4 digits. Your city is quickly approaching 9999 telephone users and needs more numbers so you add an extra number. Now you have a 5 digit telephone number.

IPv4 is the current IP addressing system that we use. We are running out of IP addresses so we are moving to IPv6 (slowly but surely) so that we will be able to continue adding more people to the Internet.
Anonymous

I’ve been saying all along people are putting too much trust in these anonymization techniques! I didn’t believe in VPNs to begin with.

Maybe it’s time to bury BitTorrent and embrace truly anonymous networks, which have been advertised for at least 4-6 years, but where are they in practice?
Capn

Welcome to the internet. If there’s a will, there’s a way. I tell you this now because you should remember it. There is NO SUCH THING as being anonymous. Sure, you could zombie the computer, set up multiple VPN channels, fake addresses, hide in public gateways but there’s ALWAYS a way to find out who you are… it just might be difficult.
Diver

How about ItsHidden? Is it also using PPTP-based VPN?
Happy i2p user

The i2p network is bittorrent ready (among many other things it provides, like other ways of file sharing, instant messaging and hidden sites, just to name a few)

http://www.geti2p.net/
haxor

121:

Totally wrong if you know how it is easy to be fully anonymous and imposible track you down. There is no ways to find persons which know how to be fully anynomous. All this are facts. 121 only talking bullshit without knowledge and without facts.
Linux and ipv6 support

Linux’s ipv6 support is exceptional.
Musty

Disableing ipv6 completely will disable Homegroup functionality. Post #105 is spot on. Disabling all tunneling devices is the way to go.

Spoofing the MAC address is not 100% effective but is still a good idea, just like blocklists and OpenDNS or the like.
worried

Cyberghost VPN pptp or not?
safe with xp (is it ipv4 only)?
Just spent £70 on annual subscription:/
Anonymous

…

Just drop the VPN bomb somewhere in an article and watch everyone who does not know that they know nothing mouth off with dozens of useless hacks.

If you wanted complete privacy you wouldn’t be using PPTP in the first place.
XL

If authorities/investigators/etc can view a network, they can see the primary IP connecting to another IP.

VPN’s have a limited future for filesharing. A safer (but slower) solution is for everyone to act as a distributed VPN to act as proxies for each other.

A distributed, peer-fuelled anonymity system is the only logical conclusion. Peer proxying ftw!!!
Pingback: | Kryptering - Information och nyheter om krypto
Capn

@124 – What’s anonymous today is public tomorrow; that’s the beauty of technology.

Alright what I said first was a little bit of soap-box fear-mongoring but it is the truth. WEP used to be secure, 16bit encryption, 64? 1024? Things are constantly changing, people keep cracking what was once secure and new secure things come out only to get cracked eventually. The simple fact is that if information has to get from A to B there’s a way for point C to get it as well. The difference is that C may not be willing to invest time/resources to get it.

Yes, you’re right that some things are anonymous today but ANYTHING can/will be broken eventually so there’s no use putting all your eggs in one basket.
Anonymous

If you want true anonymity, just do what I do: Wear a fake beard when you’re on the internet.
Pingback: Fallo en las VPN para BitTorrent permite obtener la IP real del usuario
disabling IPv6 Ubuntu

gksudo gedit /etc/sysctl.conf

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Mikhail

Oh my god, this guy rediscovered an IPv6 privacy flaw first discussed in 1999 [1], and finally fixed in RFC4941 [2]! Besides, Windows Vista was the first OS to implement these privacy extensions [3], while Linux [4] and Mac OS X [5] lagged behind.

Disabling IPv6 is just hiding from the problem, because IPv4 addresses are about to run out in foreseeable future (2012) [6].

[1] http://web.archive.org/web/20000815075159/http://www.internetwk.com/columns/frezz100499.htm

[2] http://tools.ietf.org/html/rfc4941#page-10

[3] http://ipv6int.net/systems/windows_vista-ipv6.html#privacy

[4] http://ipv6int.net/systems/linux-ipv6.html#privacy

[5] http://ipv6int.net/systems/mac_os_x-ipv6.html#privacy

[6] http://www.potaroo.net/tools/ipv4/index.html
VPN

Am sticking with VPN – its better than nothing
Mikhail

Instead of disabling IPv6, enable Privacy Extensions by adding the following lines to /etc/sysctl.conf:
net.ip6.conf.if.use_tempaddr=2 # linux
net.inet6.ip6.use_tempaddr=1 # mac os x

Windows XP by default has IPv6 off, and Windows Vista has it on with Privacy Extensions already enabled.
Doink

suckers.

wawawawawawawawawawawawawawawawawawawa
hehehehehehehehehehehehehehehehehehehe
LOL
omni

try using beevpn. they do NOT use PPTP type
VPNs, they use DTLS/SSL based on Cisco software and hardware.
Pingback: Question about VPN (Virtual Private Network)?
AlphaDawg

Where’s that Windows XP torrent? lol

Seriously, I’ve been wondering why most Linux distros never wanted to use ipv6. Now I know what they were talking about when they say the underlying structure of it was flawed.
an0nymous

@104 “lol linux..

k you have fun trying to figure out command lines for how to turn off IPV6 for 2 hours..

aaanndd.. done.”

Two hours? How come so long? It’s just this (on CentOS anyway)

Edit /etc/sysconfig/network and set “NETWORKING_IPV6″ to “no”

Add the following to /etc/modprobe.conf :

alias ipv6 off
alias net-pf-10 off

Run /sbin/chkconfig ip6tables off to disable the IPv6 firewall

Reboot the system

Alternatively (which might be easier and works on any release with /etc/modprobe.d)

touch /etc/modprobe.d/disable-ipv6
echo “install ipv6 /bin/true” >> /etc/modprobe.d/disable-ipv6

Or if you have CentOS 5.4 or greater this

touch /etc/modprobe.d/disable-ipv6
echo “options ipv6 disable=1″ >> /etc/modprobe.d/disable-ipv6

Now – How hard was that?
Omni

I pulled in over 12tb last month off BT. <3 Canada.
Pingback: Ögonblicksbild från #hacknight | [insert random stupid name here]
Chris

Does this only effect Windows?
bob

@141
any OS, just disbale IPv6 or switch providers to use IPsec or OpenVPN (recommended change provider due to running out of IPv4 ips at some point so some of your peers may be IPV6 only)

if you looked at the last post that related to an Linux based system
Pingback: Fan Breaches World Cup Security » World, Security, Breaches » Enjoy TestBlog
MD3

This is a nice moment for me to ask just ONE thing to you big guys using VPNs…

What if your VPN company is forced to give away your information, due to a judicial order?

What the hell will you do? Unless the VPN company do not keep logs of IP addresses (in some countries is illegal not to have them), then your VPN is worthless! Now what? Seriously.
Cory

@28
lol, you think they don’t know that peer guardian blocks their IP? they just use a different one that isn’t blocked. peerguardian is shit.
Anonymous

So many people on this site bleat on about OpenVPN yet no one ever provides a list of OpenVPN providers…
Pingback: superior P2P « neko3koneko
Pingback: Huge Security Flaw Makes VPNs Useless for BitTorrent
Pingback: IP-?????? ??????? ????? ???? ? VPN-????? « ???????, ??????, ??????????, ??????, ??????
Mark

So…

could we please have a post that lists:

OpenVPN providers
that do not keep logs of IP addresses
that readers of this site recommend

which is surely what we’re all after?
Pingback: Fallo de seguridad en las VPN desvela IP de usuarios BitTorrent
Pingback: Fallo en las VPN desvela IP de usuarios BitTorrent
Pingback: VPN et IPv6 = Danger pour les utilisateurs de p2p
Rich

Hi,
does this affect macs as well?
Please answer, thanks
J

Well disable teredo and IPv6 problem solved!

If you want to feel 100% secure while using VPN I recommend this Freeware:

http://vpncheck.jothodesign.com
Pingback: Rischio privacy sulle VPN (+ soluzione)
Pingback: Intensifier — Kryptosmittans mutationer
townie2

so, do i have this right? use OpenVPN, and you don’t have to change anything?
Anonymous

openVPN will give you security because even if your VPN company is forced to give away your information, due to a judicial order, they do not have you yet…if the VPN logs traffic which not all do (chose wisely) they most likely only have your ISP.

Then they need to go to your ISP with another judicial order.

Now imagine your VPN provider being in Europe and your ISP is in the US.

This looks like a lot of complexity to me: different legislations etc…

Meanwhile there are thousands out there not hiding their ip in any way. Waaaay easier to hunt down.

The more layers you add the more difficult it becomes to trace you. But yes there is no way to be 100% anonymous. The best way still is not to download anything illegally. Period.

Anyway does anyone know a solution FOR MAC to intercept the bittorent client downloading in case the vpn connection drops? This obviously exposes your real IP while you think you are safe. I know for Windows there are two solutions one is VPNetMon and the other Sygate Personal Firewall. Any suggestions for Mac?
bitemypig

I use purevpn, which offer PPTP or L2TP, in set up you not V6 off the checklist first, is L2TP a safer option?? only downside it its a lot slower using vuze :(
Anonymous

@147 Black VPN supports openvpn

https://www.blackvpn.com

you this code: ZUBYETW
It will get you 3 months for 5 euro
townie2

thanks for the tip 153, the only other one i know of is StrongVPN http://www.strongvpn.com/. looks like i have some comparing to do.
Unknown Commenter

Seems pretty straight forward to me.

Permanent solution: Refuse to pay for a sub-par security service. Only use a trusted VPN provider that doesn’t use PPTP and doesn’t keep any records on their users. Like the entertainment industry, let those who refuse to adapt die.

Temporary solution: Turn off IPv6 tunneling options in your OS, but not IPv6 itself if you’re using Windows 7 as this will mess up features that require it (built in firewall and home group for example).
Pingback: Some interweb attention to TCMB : Telecomix Crypto Munitions Bureau
willemijns

http://www.willemijns.com/dynip.php list all VPN which accept L2TP or/and openvpn for paranomiac users ;)
Pingback: .:| Fakhri FeshBuX |:. - Flaw in Private??
Anonymous

Anyone who uses Ipredator should check their firewall using an online scanner like ShieldsUP!

This guy showed that the majority of Ipredator user’s PC Firewalls are misconfigured
Pingback: InfoSec Daily » Episode 162 – .org TLD, VeriSign, IPv6 & UATester

TorrentFreak

The place where breaking news, BitTorrent and copyright collide

Huge Security Flaw Makes VPNs Useless for BitTorrent

Talk starts at 2:17:30, BitTorrent part at 2:30:00

Related Posts

Previous Post | Next Post

NewsBits

Pirate Bay Founder Gottfrid Svartholm on Freedom of Speech

Blu-ray Anti-Piracy Tech Stops Discs and Promotes Purchases

Foxtel Breeds Pirates by Locking Up Game of Thrones

UK Student Admits Breaching Sony Copyrights With Leak of PS3 SDK

Pirates Can Be Identified Despite Sharing IP Addresses, ISP Claims

MostDiscussed

Pirate Bay Takes Over Distribution of Censored 3D Printable Gun

McAfee Patents Technology to Detect and Block Pirated Content

Pirate Bay Finds Safe Haven in Iceland, Switches to .IS Domain

Copyright Trolls Threaten to Call Neighbors of Accused Porn Pirates

Game Pirates Whine About Piracy in Game Dev Simulator

CopyQuote

PopularArticles

VPN Services That Take Your Anonymity Seriously, 2013 Edition

Top 10 Most Popular Torrent Sites of 2013

Which VPN Service Providers Really Take Anonymity Seriously?

What’s The Best VPN / Proxy for BitTorrent?

BTGuard Review: How Does it Work?

Optimize Your BitTorrent Download Speed

The place where breaking news, BitTorrent and copyright collide

Search TorrentFreak

Talk starts at 2:17:30, BitTorrent part at 2:30:00

Related Posts

NewsBits

MostDiscussed

CopyQuote

PopularArticles