VPN Flaw Shows Users' IP Addresses

← Back to Stories (view on slashdot.org)

VPN Flaw Shows Users' IP Addresses

Posted by Soulskill on Monday June 21, 2010 @05:22AM from the illusion-of-privacy dept.

AHuxley writes "A VPN flaw announced at the Telecomix Cyphernetics Assembly in Sweden allows individual users to be identified. 'The flaw is caused by a combination of IPv6, which is a new Internet protocol due to replace the current IPv4, and PPTP (point-to-point tunneling protocol)-based VPN services, which are the most widely used. ... The flaw means that the IP address of a user hiding behind a VPN can still be found, thanks to the connection broadcasting information that can be used to identify it. It's also relatively easy to find a MAC address (which identifies a particular device) and a computer's name on the network that it's on.' The Swedish anti-piracy bureau could already be gathering data using the exploit."

124 comments

Min score:

Reason:

Sort:

Tor by Anonymous Coward · 2010-06-21 05:25 · Score: 0

All the more reason to donate to Tor!
1. Re:Tor by Rijnzael · 2010-06-21 05:29 · Score: 4, Insightful
  
  I seriously doubt any reasonable level of donations will ever allow the Tor network to add the kind of capacity required to torrent. I think it has many more important needs than that anyway.
2. Re:Tor by TheRealMindChild · 2010-06-21 05:33 · Score: 4, Insightful
  
  Not only that, but Tor isn't nearly as secure as most people think it is
  
  --
  
  "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
3. Re:Tor by Rijnzael · 2010-06-21 05:35 · Score: 2, Interesting
  
  Good point, anyone can host a Tor node, and I'm sure we can bet the bad guys are hosting just as many or more than the good guys. Web of trust for Tor, anyone?
4. Re:Tor by bsDaemon · 2010-06-21 05:37 · Score: 2, Insightful
  
  In order to have a web of trust, don't you need to be able to establish the identity of the other people in your web to a reasonable degree of certainty? Wouldn't verifiable identities undermine the concept of anonymity that is the whole purpose of Tor?
5. Re:Tor by Rijnzael · 2010-06-21 05:39 · Score: 2, Informative
  
  The Tor nodes themselves are actually quite identified, as you can see by the hostnames/IP's of the nodes themselves. The clients are the ones who are anonymous, as is intended.
6. Re:Tor by mrsteveman1 · 2010-06-21 05:40 · Score: 1
  
  That only matters for exit traffic, onion site traffic can't be easily sniffed by nodes
7. Re:Tor by negRo_slim · 2010-06-21 05:53 · Score: 1
  
  And information that resides on the Tor network itself never needs an exit node at all.
  
  --
  On the Oregon Cost born and raised, On the beach is where I spent most of my days
8. Re:Tor by Anonymous Coward · 2010-06-21 05:58 · Score: 0
  
  So what? As long as I secure my browser properly not to leak information and/or use ssl where appropriate it doesn't matter whether a bad or a good guy runs the exit node.
9. Re:Tor by Rijnzael · 2010-06-21 06:09 · Score: 2, Interesting
  
  I think persistently sending a file over SSL over Tor to wikileaks might be somewhat suspicious to a malicious man in the middle listening for as much. Hiding who one is talking to is still as important as hiding what is said.
10. Re:Tor by Runaway1956 · 2010-06-21 06:13 · Score: 1
  
  http://www.i2p2.de/
  Considerably more secure than TOR, but not any faster.
  And, the donations most needed by any such community, is the donation of BANDWIDTH. Exit nodes, or the lack of exit nodes, are the most limiting factors with any of the darkweb softwares.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
11. Re:Tor by Anonymous Coward · 2010-06-21 06:23 · Score: 0
  
  Take a bunch of donations and send them to a few unscrupulous people who promise a few million "involuntary" installations for a relatively small sum. If the bots can host emails they can host exit nodes just as well.
12. Re:Tor by Tacvek · 2010-06-21 06:29 · Score: 2, Informative
  
  Somebody who listens to your tor traffic at your end has absolutely no way of telling who you are communicating with. so who you are talking to is just as hidden as what you say. All packets in the tor network are encrypted in such a way that the contents are only ever known by the exit node. There is little point in using SSL if sending a file to wikieaks via tor, since only wikileaks and the exit node would see the plaintext even over plain old http, and neither would be able to determine who or where the sender was. If wikileaks is going to publish what you sent anyway, so the exit node could see it upon publication, there is little reason to hide anything, unless there is identifying information in your submission that wikileaks has agreed not to republish. In that case using SSL over tor to talk to wikileaks makes good sense.
  You would use SSL over Tor only if there was some reason why the it would be undesirable for the exit node to hear what you are saying, and you also want to hide your identity or perhaps only your location from the server you are talking to.
  
  --
  Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
13. Re:Tor by Hatta · 2010-06-21 06:30 · Score: 2, Informative
  
  The exit node might know that there's an SSL connection going through his computer that terminates at wikileaks. If everything is configured properly he should be unable to determine where that SSL connection originated.
  
  --
  Give me Classic Slashdot or give me death!
14. Re:Tor by hairyfeet · 2010-06-21 07:19 · Score: 1
  
  While what you say is true about bandwidth, unless you are a "bad guy" using your exit node to try to capture useful data, you would have to be bug fucking crazy to run Tor or i2p2 or any of those on your PC as a node. Why? Because guess whose door gets kicked, guess who gets drug off to jail, guess who has their PC confiscated, when some perv looks at CP over your connection...hmmm?
  As we have seen with the CP witchhunt innocence don't mean shit as long as they grab somebody to parade in front of the press. Sure you may get proven innocent months later, after having to deal with threats of 30+ year prison sentences and everyone looking at you like a monster, but will anyone care? After all retractions get buried on the back page while arrests get front page headlines.
  So as much as I support the idea behind these networks, as someone with a family I wouldn't touch one of them with a 50 foot pole. And unless you have 50k+ in the bank to fight back you shouldn't be running a node either. The risks are simply too high in this witchhunt atmosphere to risk it. And as anyone even tested the whole "plausible deniability" thing that these networks use? They pretty much ALL cache to speed up the network, yes? Now correct me if I'm wrong, but most laws I've seen you have to possess or distribute CP, not that you yourself actually have to have access to it. If you are an exit node they can easily prove YOUR IP address went to a CP site, and as far as I have heard that is all the "proof" they need to fuck your life up royally. Yeah, no thanks.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
15. Re:Tor by Anonymous Coward · 2010-06-21 08:14 · Score: 0
  
  I2P shares some of your bandwidth with the network, so you route data for others.
  What it does NOT do (unless you choose to do so, which I don't advise, for the reasons you posted above), is let your run as an outproxy.
  It also doesn't cache any of the data (that is encrypted, have a look at onion routing) you send.
16. Re:Tor by Anonymous Coward · 2010-06-21 08:26 · Score: 0
  
  Your last argument doesn't quite hold up. If you, nor anyone else outside the network can access any cached data, because it's encrypted, there is no way to prove what kind of data it is.
  However, you make a valid point stating that running an exit node is not the smartest thing to do in these times. Don't forget that there are other ways to help the network. Merely running a node donating your bandwidth helps the network tremendously. It doesn't have to be an exit node. Inner nodes are just as useful and there is no way to even guess what kind of data flows over a given node because inside, everything is encrypted, and you are not making requests over the normal web on behalf of strangers. To outsiders, it looks like garbage in, garbage out. Everything stays within the network.
  Bittorrent already works nicely within I2P. The only downside is the somewhat limited offerings and low speeds. These should improve as the user base grows.
  Don't forget that there are also a lot of very legitimate reasons for these networks. Whistle-blowers could use them for safe distribution of information, leading up to publication at normal websites like wikileaks. The day general purpose anonymous networks are banned would be a very sad day indeed.
17. Re:Tor by Anonymous Coward · 2010-06-21 23:02 · Score: 0
  
  Rate parent: 5.
18. Re:Tor by hairyfeet · 2010-06-22 00:30 · Score: 1
  
  But AFAIK nobody has actually tested that theory in court have they? Here let me give a scenario, which because I've had business dealings with state police in the past really isn't far fetched. Cop decides your network, I2P, Tor, whatever, is a kiddie fiddler paradise and decides to "do something about it". So he sets up a node, puts on some CP (which yes, they are allowed to do even though I would consider it entrapment) and then writes down the IP addresses of any that "access" this data.
  Now since the way I understand it is these networks cache data, and make no difference or checks on data being added to the network, it really shouldn't be hard for the cop to add CP to the network then write down the IP address of anyone whose PC caches said data. Since ALL he is offering to the network IS CP, he could then stand up in court and say ANY PC that hooks to him was accessing CP. Now as far as the law is concerned all one has to do is access or distribute it, nowhere in the law does it say one has to be able to look at it themselves.
  So until this whole "encrypted cache" thing actually has some court precedent I would still be leery. Nowhere in the laws does it state you have to LOOK at it, only possess or distribute. Splitting hairs yes, but I have seen people get their lives ruined over hair splitting in the past, and I haven't been able to find any cases where the encrypted cache bit has been tested in court with regards to CP, have you? Considering you will be looking at 30 years + in PMITA prison, that is a hell of a lot of risk to take on something that hasn't even been tested in court. Remember, it doesn't matter what your geek logic says, only what a prosecutor can convince 12 people too stupid to get out of jury duty to believe.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
19. Re:Tor by mysidia · 2010-06-22 05:29 · Score: 1
  
  Of course if the sender were really paranoid, that SSL connection's IP destination could be a SSL VPN to another anonymizing service, instead of Wikileaks.
  And that anonymize service could open yet another SSL connection through the tor network, through a different TOR client, terminating at Wikileaks.
  Someone really paranoid will build a chain of encrypted anonymizers, and sign up for accounts on the additional anonymizer services while already anonymous, so a chain is built of services and nested levels of encryption that have to all be compromised, before the sender could ever be identified.
garbage in, garbage out... by Michael+Kristopeit · 2010-06-21 05:25 · Score: 2, Informative

it's also relatively easy to spoof an IP address or MAC address.
1. Re:garbage in, garbage out... by Anonymous Coward · 2010-06-21 05:28 · Score: 0
  
  IPv6 a new protocol?
  Since when? Just because no one uses the darn thing (yet) does not make it new, just "newer" than IPv4
2. Re:garbage in, garbage out... by dotgain · 2010-06-21 05:28 · Score: 5, Insightful
  
  And it's just as sensible as spoofing your home address when ordering pizza that you ultimately want to eat.
3. Re:garbage in, garbage out... by Rijnzael · 2010-06-21 05:33 · Score: 2, Informative
  
  MAC address sure, since your device's MAC address isn't used after your packets reach the ISP's border. However, I invite you to try to establish a full duplex connection using a spoofed IP. Sure, you can send packets using a spoofed IP provided your ISP allows you to send packets for IP's which they don't announce, but you're not getting the response to that packet back. This is actually the basis for DDoS reflection attacks.
4. Re:garbage in, garbage out... by Anonymous Coward · 2010-06-21 05:35 · Score: 0
  
  You're just not as badass a hacker as Michael Kristopeit. YOU ARE NOTHING!!!
5. Re:garbage in, garbage out... by Michael+Kristopeit · 2010-06-21 05:40 · Score: 0
  
  so you spoof 1,000 packets with incorrect IP addressed for every 1 packet with the correct IP... you still get your data, albeit 1/1001 as fast, but now your "attacker" has 1,000 times more work to do to locate you.
6. Re:garbage in, garbage out... by Michael+Kristopeit · 2010-06-21 05:48 · Score: 1, Interesting
  
  see my comment above...
  you flood the network with "ghosts"... 1,000+ spoofed IP packets for every 1 real one. sort of like under siege dark territory with the ghost satellites.
  it isn't perfect, but provides enough ambiguity to make a counter attack almost pointless for a considerable time.
7. Re:garbage in, garbage out... by Rijnzael · 2010-06-21 05:52 · Score: 2, Interesting
  
  Definitely an interesting thought, though with a MITM attacker (presumably the person one is using Tor/VPN/whathaveyou to hide from) it would be pretty obvious that one isn't actually establishing true communication, as the TCP sequence numbers et al wouldn't make any sense, and the remote machine wouldn't be sending back any data packets. With UDP it might be less obvious, though it would be clear one is only sending and not receiving.
8. Re:garbage in, garbage out... by vlm · 2010-06-21 05:57 · Score: 1
  
  However, I invite you to try to establish a full duplex connection using a spoofed IP.
  
  I think you're new to ipv6 and are thinking in ipv4 terms.
  At one site I have a tunnel from sixxs (because its dynamic) and another site I have a tunnel from tunnelbroker.net aka everyones favorite ISP he.net (which only works on static IPs, more or less)
  At both sites I have a /48 of which I have a /64 assigned to my ethernet LAN. Based on various blah blah blah you can figure out my MAC address based on my ipv6 address.
  You can also assign multiple arbitrary ipv6 addresses to an interface. One of my boxes has no less than 5 addresses. Its cheap and simple to load balance or whatever by moving the address to another machine later, if/as necessary.
  So, yeah, no problemo, on my /64 ethernet at home I can spoof most any address I want inside that /64 and it'll work, aside from the 30 or so in 2**64 odds (actually somewhat worse...) of colliding with another machine.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
9. Re:garbage in, garbage out... by Anonymous Coward · 2010-06-21 06:00 · Score: 0
  
  either do 1000 times more work, or spend 10 seconds finding the only IP that's actually getting ACKed, and then filter out everything else.
10. Re:garbage in, garbage out... by Michael+Kristopeit · 2010-06-21 06:03 · Score: 0
  
  i thought the exploit was only on the sent packets and the sender address... they can get the receiver address off the received packets behind a VPN as well?
11. Re:garbage in, garbage out... by quantumplacet · 2010-06-21 06:03 · Score: 4, Informative
  
  assigning a second IP address, that you also control, to an interface is not 'spoofing' in any sense of the word. If you assign an IP address that I control, then you're spoofing, at which point you have the same problem in IP6 that you have in IP4.
12. Re:garbage in, garbage out... by Michael+Kristopeit · 2010-06-21 06:09 · Score: 0
  
  so now you can filter out ACKs behind a VPN you aren't connected to? if you could already do that, then how is this story relevant?
13. Re:garbage in, garbage out... by Sir_Lewk · 2010-06-21 06:11 · Score: 1
  
  That applies for spoofing your IP address, but not for spoofing your MAC address.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
14. Re:garbage in, garbage out... by Anonymous Coward · 2010-06-21 06:17 · Score: 0
  
  Thank you AC. You just made my day.
15. Re:garbage in, garbage out... by Anonymous Coward · 2010-06-21 06:19 · Score: 0
  
  YOU ARE NOTHING
16. Re:garbage in, garbage out... by vlm · 2010-06-21 06:21 · Score: 2, Informative
  
  Kind of two separate arguments.
  Lets look at the original posters claim
  
  MAC address sure, since your device's MAC address isn't used after your packets reach the ISP's border. However, I invite you to try to establish a full duplex connection using a spoofed IP.
  Now his point is that your MAC is irrelevant beyond your layer 2 link. OK, correct on ipv4.
  However, what if you use ipv6 and RFC 2462 "Stateless Address Autoconfiguration" which basically picks your ipv6 address based on your MAC address. Wedging a 48 bit mac address into, say, a /28 of ipv4 space isn't going to work too well, but wedging a 48 bit mac address into a /64 LAN of ipv6 works pretty well.
  http://www.ietf.org/rfc/rfc2462.txt
  Now the argument is that no matter which ISP you connect to, or which starbucks you connect to, etc, you can always correlate that large collection of 128 bit ipv6 addresses in a log by trashing the upper 64 bits and figuring out which 48 bit mac addresses map into the /64 ipv6 addresses.
  Even worse, the top 24 bits of the mac define the device manufacturer, so no matter where you go in the world, people know you've got an apple, or whatever.
  So, "your device's MAC address isn't used after your packets reach the ISP's border" isn't really true if your layer 3 address depends directly on your layer 2 address.
  On the other hand, if instead of using your autoconfigured address, you fake or "spoof" some other random /64 on the LAN, then you can't be tracked. Now if you do this at work, your local net nanny is going to get all teed off that some "unknown" mac address is online, because look at that ipv6 address that doesnt match any known inventoried hardware MAC address.
  You can insist that using a "fake" MAC is not spoofing, or whatever, but then you're getting into pointless naming games.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
17. Re:garbage in, garbage out... by Rijnzael · 2010-06-21 06:23 · Score: 1
  
  Ah, I was talking in general. I don't think most VPN daemons would accept and transmit as expected an IP packet addressed from an incorrectly sourced IP, probably due to no entry in the ARP table and (from pure gut feeling) other reasons I might be unfamiliar with.
18. Re:garbage in, garbage out... by Michael+Kristopeit · 2010-06-21 06:27 · Score: 0
  
  well... if you are going through the trouble of altering your network infrastructure to spew garbage, i'm pretty sure that includes modifying your VPN daemons to play along.
19. Re:garbage in, garbage out... by dotgain · 2010-06-21 06:41 · Score: 1
  
  Fair enough. As my laptop and WiFi capable phone go from place to place, my (unspoofed) MAC address gets pissed all over the place. Much like the licence plate on my car does. This doesn't really bother me.
20. Re:garbage in, garbage out... by Phs2501 · 2010-06-21 07:34 · Score: 1
  
  It's not even "spoofing" to pick a random IPv6 address, it's a standard:
  RFC 4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6
  Windows does this by default.
21. Re:garbage in, garbage out... by clone53421 · 2010-06-21 07:36 · Score: 1
  
  All he’d have to do is filter the IP addresses to only identify one(s) that requested/received all of the data. Which is probably just one IP. Which is yours.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
22. Re:garbage in, garbage out... by Anonymous Coward · 2010-06-21 08:09 · Score: 1, Insightful
  
  "Spoofing" an IP address will tend to cause the packets to be delivered to the wrong place.
  On a very different note, it is worth remembering that MAC addresses are embedded in the IPv6 address. If these guys are presenting the idea that you can get a MAC address from an IP address (in IPv6) as a new security flaw, they obviously haven't been reading the RFCs. Why the #*%! do these morons think people are so reluctant to switch to IPv6? Because it makes it very hard to obscure a machine on the Internet, and since there's no built-in security on the Internet ...
23. Re:garbage in, garbage out... by Anonymous Coward · 2010-06-21 08:26 · Score: 0
  
  the counter to this specific exploit has been explained in many posts above... the attacker get's the sender's ip from a broadcast packet sent by the sender. so the sender sends out an arbitrarily large number of these packets, much like a baseball coach sends out a large number of signals to disguise the true signal. the VPN daemon understands the signaling language and can keep it's clients public location data private.
24. Re:garbage in, garbage out... by Anachragnome · 2010-06-21 08:33 · Score: 1
  
  "'see my comment [slashdot.org] above...
  you flood the network with "ghosts"... 1,000+ spoofed IP packets for every 1 real one. sort of like under siege dark territory with the ghost satellites.
  it isn't perfect, but provides enough ambiguity to make a counter attack almost pointless for a considerable time."
  And Comcast nukes your connection.
  Seriously, ISPs are already miffed about the bandwidth usage of P2P systems. Intentionally throwing garbage down them intertubes will not only plug them up, but give the likes of Comcast another excuse for traffic-shaping that they could use as leverage when speaking before congress critters, and we don't want that, do we?
25. Re:garbage in, garbage out... by drinkypoo · 2010-06-21 08:42 · Score: 1
  
  Even worse, the top 24 bits of the mac define the device manufacturer, so no matter where you go in the world, people know you've got an apple, or whatever.
  If you can't change your MAC then your OS and/or driver blow. Even almost every NIC I've plugged into a Windows box has had driver support for MAC changes.
  
  Now if you do this at work, your local net nanny is going to get all teed off that some "unknown" mac address is online, because look at that ipv6 address that doesnt match any known inventoried hardware MAC address.
  Personally I think that employers that let you connect your devices to their networks are crazy anyway. I could see providing WiFi that is segregated from the corporate network for employee convenience, but then you don't have to worry too much about what is connected, only what it is doing.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
26. Re:garbage in, garbage out... by Anonymous Coward · 2010-06-21 08:48 · Score: 0
  
  well, if we didn't WANT a PRIVATE network, then we shouldn't have VPN, should we?
27. Re:garbage in, garbage out... by complete+loony · 2010-06-21 16:28 · Score: 1
  
  So why not just hash the netmask and mac together perhaps with a salt value to generate your stateless address. That should give you the same low risk of collisions, while giving you a different address on each network and not exposing any identifying information to remote hosts.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
28. Re:garbage in, garbage out... by mysidia · 2010-06-22 05:35 · Score: 1
  
  Full duplex connections are possible.
  It's just necessary for the spoofer to first compromise an appropriate router on your network and setup a tunnel.. Either through brute force, or through well-known vulnerabilities in certain router OSes (which are rarely updated, because most sysadmins don't think the router/firewall is a legitimate target, or just don't bother to follow security updates... It's a firewall after all, so "It must be secure!").
  Or, analyze what IP address space you are announcing, and announce a more-specific route to their upstream over BGP (assuming their upstream does not apply prefix list or AS path filters), to redirect your prefix to their own router.
  E.g. Advertise the /24 of the IP they want to spoof, and include your AS number somewhere in the path, so your own router won't notice what the script kiddie is doing.
29. Re:garbage in, garbage out... by Anonymous Coward · 2010-06-22 22:02 · Score: 0
  
  No pizza parlor would be stupid enough to take 1,000 orders and not think something was up
Any Network Admin worth his weight... by bagboy · 2010-06-21 05:27 · Score: 2, Informative

has not been using pptp for vpn for quite some time. IPSEC (AES) anyone? Just sayin.
1. Re:Any Network Admin worth his weight... by drinkypoo · 2010-06-21 05:34 · Score: 4, Informative
  
  Any Network Admin worth his weight has not been using pptp for vpn for quite some time. IPSEC (AES) anyone? Just sayin.
  IPSEC doesn't have to use AES, it supports other ciphers. Further, PPTP does not specify encryption, but Windows clients use MPPE, which is RSA RC4.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:Any Network Admin worth his weight... by Anonymous Coward · 2010-06-21 05:50 · Score: 0
  
  Probably not good to use "weight" comparisons for admins (at least the ones I've worked with).
3. Re:Any Network Admin worth his weight... by Just+Some+Guy · 2010-06-21 08:33 · Score: 1
  
  On FreeBSD, sudo portinstall net/mpd5 and editing a config file to configure your IP addresses installs a working PPTP server that an Apple i* can use. Although you may not approve, my boss likes having an easy-to-configure VPN when he's on the road. I like being able to securely surf and IM from open WiFi. IPSEC might be the "better" way, but there's a lot to be said for having something working 5 minutes into trying it for the first time.
  
  --
  Dewey, what part of this looks like authorities should be involved?
4. Re:Any Network Admin worth his weight... by drinkypoo · 2010-06-21 08:48 · Score: 1
  
  FWIW the tools in Win2k and later for IPSEC profile management are pretty fine. I have never actually tried with a windows client with a dynamic IP though :)
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
5. Re:Any Network Admin worth his weight... by Just+Some+Guy · 2010-06-21 08:56 · Score: 1
  
  You're probably right. I just never got to the point of trying, since configuring PPTP was so easy and it works reliably.
  
  --
  Dewey, what part of this looks like authorities should be involved?
6. Re:Any Network Admin worth his weight... by drinkypoo · 2010-06-22 05:41 · Score: 1
  
  I'm fiddling around with Windows 7 Pro right now and it doesn't seem to have the same grade of IPSEC management tools that 2K and XP mostly share. (XP has a bit more, of course.) But perhaps the functionality is moved into another snap-in? I have read that the shrew soft vpn client (download link) is useful in recent versions but have not yet set up ipsec on my desktop Ubuntu system to find out. I've done ipsec Linux-Linux and HPSUX-Windows but that's it so far.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Wait, IPv6+PPTP+IPSEC only? by drinkypoo · 2010-06-21 05:27 · Score: 5, Informative

You don't need PPTP if you're using IPSEC and IPv6. Even Microsoft clients don't need it any more.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
IPv6 by Perl-Pusher · 2010-06-21 05:30 · Score: 4, Funny

IPv6, which is a new internet protocol due to replace the current IPv4

My grand kids will probably be saying that to their grand kids.
1. Re:IPv6 by Monkeedude1212 · 2010-06-21 05:33 · Score: 1
  
  Actually by then, it'll be IPv6.1 with a single extra bit added to the end of each IP Address, thereby DOUBLING the IP address space.
2. Re:IPv6 by Anonymous Coward · 2010-06-21 05:35 · Score: 0, Funny
  
  My grand kids will probably be saying that to their grand kids.
  My grand-kids are saying that to their grand-kids.
  Now get of my lawn, you whipper snapper.
3. Re:IPv6 by xanadu113 · 2010-06-21 05:36 · Score: 2, Interesting
  
  Right after we get switched to the metric system!
  
  In elementary school, they ONLY taught me the metric system, because it was going to replace the english system by the time I graduated high school... I'm still waiting...
  
  --
  -Myke
4. Re:IPv6 by drinkypoo · 2010-06-21 05:47 · Score: 1
  
  Actually by then, it'll be IPv6.1 with a single extra bit added to the end of each IP Address, thereby DOUBLING the IP address space.
  Finally! I was wondering when I would have a use for my 129-bit processor design.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
5. Re:IPv6 by BrokenHalo · 2010-06-21 05:47 · Score: 1
  
  Maybe you needed a different school. My education started in the '60s, and we learned to cope with both.
6. Re:IPv6 by Anonymous Coward · 2010-06-21 05:48 · Score: 0
  
  Yeah, because 129-bit computing is going to be the next big thing in just a few years.
7. Re:IPv6 by DdJ · 2010-06-21 05:58 · Score: 4, Funny
  
  Actually by then, it'll be IPv6.1 ...
  ...unless you're running on a Microsoft operating system, in which case it'll be "IPv6.11 for Workgroups".
8. Re:IPv6 by vlm · 2010-06-21 06:03 · Score: 0, Troll
  
  I heard, that instead of specifying addresses using hexadecimal digits 0-9 and A-F, some PHD wants to use 0-9 and A-Z. And the offshored helpdesk wants to use unicode characters instead of hexadecimal digits.
  I bet there's a heck of a lot of spreadsheets and ip allocation thingys and map generation scripts and especially webpage javascript validation that won't tolerate "letters" in yer "IP addresses". Underlying OS and apps are generally OK at this point (I've been running ipv6 for many years from various tunnelbrokers)
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
9. Re:IPv6 by Runaway1956 · 2010-06-21 06:09 · Score: 1
  
  Yes, what BrokenHalo says. I started school in 1961, and learned pounds, ounces, etc. Somewhere along - ohhhh - 6th grade I think, they told us that within a couple years we wouldn't see any of that stuff, we needed to learn metric.
  Metric is so easy - if you can count to ten, you have metric mastered. I've never figured out why people claim they have a hard time with it. Everything is powers of ten - everything. Almost everyone is born with ten appendages at the ends of their arms, right? Yeah, yeah, a FEW people don't get the full complement of fingers, and a FEW others manage to lose an appendage or two along the way. All the same, ten digits.
  Ahhh well. I kinda like miles, gallons, and all the rest. They do take a tiny bit of brain power to compute. I get to feel superior when the real dullards can't understand what 128 ounces is equal to. "Oh my God, did you have to MEMORIZE that when you sailed on Noah's Ark?" "No, Honey, I'm just a low level genius, capable of multiplying 16 x 8, or 32 x 4 without benefit of a calculator."
  Quick pop quiz: 1. How many US MILES around the earth at the equator?
  2. How many NAUTICAL miles around the earth at the equator?
  3. How many LEAGUES around the earth at the equator?
  Go ahead, pull out the calculators if you need to. I'll just act smug, and nod my head, LMAO
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
10. Re:IPv6 by Wonko+the+Sane · 2010-06-21 06:15 · Score: 1
  
  The downside to a base 10 measurement system is that it only has two factors: 2 and 5.
  It seems to be a lot more common to divide physical quantities into thirds than fifths so you are giving up something when you switch from a system that has 3 prime factors to one that only has 2.
  The cost/benefit ratio is probably in favor of the metric system in most cases, but don't dismiss the possibility that it might not be in all cases.
11. Re:IPv6 by Anonymous Coward · 2010-06-21 06:18 · Score: 0
  
  You can still learn your inches as I have done.
  Canada is officially metric, which is to say official pieces of info like speed limits and driver's license weight, height, and eye colour.
  In day to day speech, though, it's feet and inches and pounds for human measurements, half the time it's Fahrenheit for room temperature, Celsius for outdoor temperature, 1/1000in or mm for machining, and so on the mishmash.
  Go figure.
12. Re:IPv6 by Sir_Lewk · 2010-06-21 06:23 · Score: 1
  
  I went to school in the 90s and only learned metric. It was my understanding that this was pretty universal among public schools in my area.
  Really, if everyone stopped using imperial units tomorrow, I'd venture to guess that only a handful of old geezers would have any trouble with it.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
13. Re:IPv6 by hoggoth · 2010-06-21 06:25 · Score: 1
  
  3 and 1/3rd. 3.33. Was that so hard?
  If you are measuring flour for a cake and put in 3.34 or 3.32 I'm sure everyone will be polite and not tell you how bad it turned out.
  Or maybe you are calculating interstellar probe trajectories without a calculator?
  
  --
  - For the complete works of Shakespeare: cat /dev/random (may take some time)
14. Re:IPv6 by Ares · 2010-06-21 06:48 · Score: 1
  
  Canada is officially metric, which is to say official pieces of info like speed limits and driver's license weight, height, and eye colour.
  metric eye colors, eh?
15. Re:IPv6 by gknoy · 2010-06-21 06:51 · Score: 1
  
  metric eye colors, eh?
  Yeah, they list your eye color in nanometers.
16. Re:IPv6 by Anonymous Coward · 2010-06-21 07:20 · Score: 0
  
  Anyone using spreadsheets to store IP allocation information (or any other database, for that matter) deserves to be fucked in the ass with a hot poker for eternity, so I think they're getting off easy if shit just breaks.
17. Re:IPv6 by CFD339 · 2010-06-21 07:24 · Score: 1
  
  Did they teach entirely in Esperanto as well?
  
  --
  The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
18. Re:IPv6 by clone53421 · 2010-06-21 07:38 · Score: 1
  
  Sheesh, I’d tell them to give it up and just let me graduate high school finally.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
19. Re:IPv6 by clone53421 · 2010-06-21 07:40 · Score: 1
  
  If you have a 3 1/3 ml measuring spoon, you’ve basically defeated your nice power-of-10 system.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
20. Re:IPv6 by uniquegeek · 2010-06-21 09:26 · Score: 1
  
  How about a space shuttle?
21. Re:IPv6 by Anonymous Coward · 2010-06-21 12:29 · Score: 0
  
  Canada is right next door to the US of A. Pretty big hinderance to universal metric adoption right there.. (Until the US finally takes the plunge)
  Places like France adopted hundreds of years ago, so they've had time.
  Down under, NZ switched to the metric system in 1976, and virtually no-one uses imperial.
22. Re:IPv6 by BrokenHalo · 2010-06-21 21:11 · Score: 1
  
  If you put 100g of yeast in a 1kg loaf of bread simply because it's a nice round number in your power-of-10 system, you're going to end up with something you don't want to eat.
23. Re:IPv6 by clone53421 · 2010-06-22 00:30 · Score: 1
  
  So... what you're telling me is that while nice round numbers are handy for mathimatics, they aren't practically useful in real-life applications.
  Well, that's what we've been trying to tell you all along.
  So, we end up having 3 Tsp. per 1 Tbsp. Why? Because it was convenient in real life, not on a page of numbers.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
Oh no by Smallpond · 2010-06-21 05:43 · Score: 1

Now they have my IP address: 192.160.0.1
1. Re:Oh no by sconeu · 2010-06-21 05:54 · Score: 1
  
  Did you mean 192.168.0.1?
  192.168/16 is the private address. 192.160/16 is not.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
2. Re:Oh no by kaizendojo · 2010-06-21 06:22 · Score: 1
  
  Did you mean 192.168.0.1? 192.168/16 is the private address. 192.160/16 is not.
  Stealth... You're doing it wrong.
3. Re:Oh no by Tanman · 2010-06-21 09:43 · Score: 1
  
  Now they know what subset of brands your router is manufactured by, since various ones assign different local ip addresses. This lets them target attacks more specifically or search out vulnerabilities specific to certain known firmware issues.
4. Re:Oh no by sharkey · 2010-06-21 13:48 · Score: 1
  
  May be, but there's NO WAY they're getting 127.0.0.1. That's MINE!
  
  --
  
  --
  "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Wait a minute! by Anonymous Coward · 2010-06-21 05:50 · Score: 0

The computer's IPv6 info can only leak out if the VPN has been also configured for IPv6.
User flaw shows dilluded sense of privacy on net by Bob_Who · 2010-06-21 05:51 · Score: 2, Interesting

The only flaw is when people believe that VPN or any other network technology streaming on the public superhighway via telecoms and satellite networks is absolutely private and secure 100% of the time. Once you fix that defect, the rest won't matter anymore. Too bad our national security experts are having so much difficulty with that concept, since its bad for business to accept reality or to tell the truth, in general.
So, what's the move? by b0bby · 2010-06-21 05:57 · Score: 2, Interesting

What, then, is the best way to preserve anonymity when using, for instance, BitTorrent? I have looked at services like BTGuard & Predator, but there's always a little spidey-sense tingle of lack of trust...
1. Re:So, what's the move? by Anonymous Coward · 2010-06-22 00:57 · Score: 0
  
  I use ssh tunneling for certain websites but it could also be used for other traffic as well.
doesen't IPv6 drop some of need for VPN? by Joe+The+Dragon · 2010-06-21 05:58 · Score: 1

doesen't IPv6 drop some of need for VPN?
But then the ISP need to do there part and give you more then 1 ip.
1. Re:doesen't IPv6 drop some of need for VPN? by vlm · 2010-06-21 06:08 · Score: 1
  
  doesen't IPv6 drop some of need for VPN?
  http://en.wikipedia.org/wiki/IPv6#Mandatory_network_layer_security
  IPSec is mandatory for "full ipv6 support", and of course almost no one uses it.
  Its kind of like saying having https webservers removes all need for VPNs. Well, not exactly.
  
  But then the ISP need to do there part and give you more then 1 ip.
  I'm not aware of any tunnelbroker whom won't give you a /48 for your LAN, at this time. ISPs, being ISPs, will find a way to F it all up, I'm sure.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
2. Re:doesen't IPv6 drop some of need for VPN? by spottedkangaroo · 2010-06-21 06:11 · Score: 1
  
  On IPv6, they shouldn't ever be giving you less than a /64 and a /48 if you request it (or pay more or whatever). NATing is apparently against the law, but we overlook it because otherwise IPv4 would be broken already. My thinking is that NATing on IPv6 will continue to be OK for security reasons, but it's supposed to be completely unnecessary since we'll have enough IPv6 addresses to give one to every grain of sand on earth or whatever.
  
  --
  Imagine if you weren't allowed to use roads because a bus company complained about your driving 3 times. --skunkpussy
3. Re:doesen't IPv6 drop some of need for VPN? by vlm · 2010-06-21 06:27 · Score: 2, Interesting
  
  My thinking is that NATing on IPv6 will continue to be OK for security reasons
  My thinking is we're going to see massive namespace pollution in the marketing world. Since most people use "nat security" as basically a complicated as heck one way valve, and its "expensive" to do nat compared to simple state based firewalls, I suspect the marketing droids are going to get simple state based firewalls that only allow outgoing connections from engineering, and then sell them as "ipv6 NAT" even though theres no address translation going on.
  After all, its the same as ipv6 NAT because it allows you to connect your lan to the internet and it only allows outgoing connections, so it must be marketed with the same name.
  Who cares if the engineers know that NAT actually means something.
  And when it happens, you can say you saw it here on slashdot, first.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Cipher Conference Video by SJ2000 · 2010-06-21 05:58 · Score: 3, Informative

The conference video apparently.
1. Re:Cipher Conference Video by Anonymous Coward · 2010-06-21 07:05 · Score: 1, Informative
  
  Unfortunately the talk is structured very poorly. The talk is about several deanonymization techniques: Flash, which allegedly does not respect proxy settings (I think it's an option), can be used to establish connections outside of the VPN if you can make the victim open a web page. Alternatives are image URLs with FTP or other protocols for which no proxy on the VPN is configured, etc. The IPv6 problem is of the same nature: If you link to an image with an IPv6 address in the URL, the request will not go through the VPN but through the normal IPv4 interface where the OS uses an IPv6 translation scheme which uses the real IPv4 and MAC addresses as part of the IPv6 address.
  The common idea between all these attacks is that not all connections are forced through the VPN (or dropped) and the applications can still see the local network environment and leak this information. This is a problem shared by all VPN technologies. If you want to avoid this, make a VPN router connect to the VPN and expose only the VPN to the local network. The only packets which are ever allowed on the real external IPv4 interface should be the encapsulated tunnel packets and packets necessary for setting up the tunnel. You can still leak information by (stupidly) making services available which leak local information (like network shares, browser services with identifying names, etc.).
2. Re:Cipher Conference Video by materi · 2010-06-21 07:16 · Score: 1
  
  Was this all that they talked about? nothing specific to PPTP as title suggests? then meh, not really news. I would have liked to listen to the talks if I could find a source with decent quality audio...
3. Re:Cipher Conference Video by Anonymous Coward · 2010-06-21 07:29 · Score: 0
  
  There was a bit about weak PPTP authentication, but that is also not news, I believe. The IPv6 flaw is exacerbated by IPv6 tunneling apparently not working in Windows. The basic problem however is just the fact that Windows automatically creates tunneled IPv6 interfaces which bypass the VPN and can be used to deanonymize the user by instructing an application to make a connection to an IPv6 destination.
  I wish there was a paper or at least a PDF of the slides, but the link to the story goes to a page which is just a rehash of another page which is just a poor teaser for a video with bad video and audio. I find it hard to know if I'm missing the point or not.
4. Re:Cipher Conference Video by Anonymous Coward · 2010-06-27 05:22 · Score: 0
  
  Here you go!
  forskningsavd.se/files/pdf/deanonymous.pdf
PPTP? Who uses that? by Anonymous Coward · 2010-06-21 06:04 · Score: 0

I've always used ipsec. I've never, ever seen a pptp vpn in production use.
I RTFA but.. by rwwyatt · 2010-06-21 06:19 · Score: 1

rather wish I had not.
IP address leaked? by hoggoth · 2010-06-21 06:21 · Score: 1

Hey um... I was just kidding about the whole overthrow the government thing. And the kiddie pics were for a research project. Like Pete Townshend. Yeah, just like Pete Townshend. And I purchased all of those songs and movies and just needed backup copies.

--
- For the complete works of Shakespeare: cat /dev/random (may take some time)
Re:User flaw shows dilluded sense of privacy on ne by Anonymous Coward · 2010-06-21 06:30 · Score: 0

No the flaw is that anonymity != security. It can however be a side effect of security. Now if you want identity to be secure that is the information you need to protect as well as the payload information you are producing/consuming. In this case the implementation is 'leaking' information. Which is how it was designed. IPv6 is not about protecting your identity but has layers to protect your information.
The internet by its very nature does not allow for totally anonymous things. It is how things get from me to you. There are logs of many connections to and from your computer.
I posted this as AC just to underscore this point however. The guys who run slashdot *COULD* find out who I am. It is a matter of do they care enough to do so.
Wait, hold on... by gravis777 · 2010-06-21 06:36 · Score: 1

The Swedish anti-piracy bureau could already be gathering data using the exploit."
Um, not sure about Swedish law, but isn't this similar to like, breaking DVD encryption? Just because the encryption is week or has a security flaw in it, I am pretty sure it is still illegal to break or exploit it. If that's the case, could IP addresses gathered using this exploit be permissable in a court of law?
Just wondering out loud
1. Re:Wait, hold on... by b0bby · 2010-06-21 06:56 · Score: 1
  
  My basic understanding of it is that they're not breaking any encryption, they're just using this flaw to gather your real IP address when you are going through a VPN endpoint. Your hope would be that all anyone monitoring a torrent could see would be the address of your VPN endpoint (probably from a VPN provider like The Pirate Bay), but instead they're able to gather more information, presumably so they can identify and sue you.
2. Re:Wait, hold on... by hag3r · 2010-06-21 07:17 · Score: 1
  
  And even if they were breaking laws, any evidence they found would still be permissible in a Swedish courtroom if I'm not mistaken.
3. Re:Wait, hold on... by Husgaard · 2010-06-21 07:23 · Score: 1
  
  In Swedish law, even evidence gathered illegally is permissive in court.
  And with the new IPRED legislation in Sweden from last year, the anti-piracy now have better means of obtaining evidence for civil court cases (pay us, or we sue) than the Swedish police has for criminal file sharing cases.
Well by DaMattster · 2010-06-21 07:33 · Score: 1

The article wasn't terribly well written. I would say it is not a big deal at all because the traffic between the tunnel end-points is encrypted anyway. I smell an attempt to spread FUD about IPv6 and I happen to like IPv6.
...IPv6, which is a new Internet protocol... by Anonymous Coward · 2010-06-21 07:41 · Score: 0

IPv6, which is a new Internet protocol due to replace the current IPv4
thank you for so much useful information
Oh yeah??? by Anonymous Coward · 2010-06-21 07:59 · Score: 0

Well, *my* IP Address is 127.0.0.1
Not IPv6's fault by Dagger2 · 2010-06-21 09:02 · Score: 1

As far as I can see, the vulnerability he talks about in the video is basically "if you use a VPN, but you don't put IPv6 traffic over the VPN, IPv6 traffic won't go over the VPN".
It seems a bit unfair to blame IPv6 for this; after all, IPv4 suffers from the same vulnerability.
Duh. Run IPv4 inside a VM. by Anonymous Coward · 2010-06-21 09:19 · Score: 0

And make sure the VM only uses the VPN connection for network access, nothing else.
IPv4 works around the problem in TFA. VM protects your real identity.
With a VM that has a fake identity, you won't risk your browser or other things either. Fake-personal information gets stolen or exposed from within the VM? No problem. It's not real. You can change it if you want.
This also means never, ever, log in to GMail, Facebook, and other services from within the VM. Anything that can expose your real identity is a no-no. Within the VM you don't exist, have this mindset. So anything that has not been registered from within the VM, will not be used within the VM. Use some wallet-application to enforce this behaviour by storing the passwords made within the VM.
And for the anonymizer providers, please try to give a real solution instead of some PPTP trash, will you?
get a grip by Anonymous Coward · 2010-06-21 10:25 · Score: 0

Everything you said can be answered quite simply: if you're concerned about someone downloading a picture of a 10 year old receiving an awesome blow job, don't become an EXIT node on TOR. Instead, become an INTERNAL node. You won't know where the traffic is coming from, or where it's going, or what the content is. That's your plausible deniability. And keep in mind TOR is used by thousands of people involved in things other than hairless pussy eating. Like intelligence stuff, cop stuff, diplomatic stuff, human rights stuff.
Take a chill pill.
Huh? by Anonymous Coward · 2010-06-21 11:24 · Score: 0

What exactly are you trying to say, that encrypted VPN is useless? That it isn't technically possible? That corporate networks around the world should forget about encryption? Or (most likely) were you merely fishing for a chance to proclaim "privacy is dead" and "give it up already", even though it's not even relevant to this discussion?
OpenVPN anyone? by Narcocide · 2010-06-21 13:38 · Score: 1

PPTP can rot as far as I care. I've been using OpenVPN for a while now. It is much easier to set up, much less intrusive and much more secure.
Windows 7 by Skapare · 2010-06-21 14:44 · Score: 1

I noticed just today that Windows 7 was NOT using the standard EUI-64 (derived from MAC address) data in their auto-configured IPv6 addresses. Instead, the addresses seemed to be randomly generated. Maybe someone at Microsoft understood this issue ahead of time.

--
now we need to go OSS in diesel cars
1. Re:Windows 7 by cbiltcliffe · 2010-06-23 03:41 · Score: 1
  
  I noticed just today that Windows 7 was NOT using the standard EUI-64 (derived from MAC address) data in their auto-configured IPv6 addresses. Instead, the addresses seemed to be randomly generated. Maybe someone at Microsoft understood this issue ahead of time.
  What? Microsoft understood something?! What are you thinking?! Of course they didn't understand it.
  What really happened is that Microsoft either couldn't figure out how to generate an IP address including the MAC, or they didn't even read the RFC, and don't realize that's what's supposed to happen.
  Microsoft understood the issue.
  Sheesh.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
tracert = hax0r tool! by that+IT+girl · 2010-06-22 04:24 · Score: 1

However, this can be done by any average user in Windows:

http://www.youtube.com/watch?v=SXmv8quf_xM
...LOL

--
10 FILL MUG WITH COFFEE
20 DRINK COFFEE
30 GOTO 10