Game of Thrones’ Most Torrented TV-Show of 2016

‘Game of Thrones’ Most Torrented TV-Show of 2016

For the fifth year in a row Game of Thrones has taken the crown for the most pirated TV-show on the Internet. The Walking Dead remains in second place, with newcomer Westworld right behind.

got6For several years in a row Game of Thrones has been the most pirated TV-show, and this year the interest is once again overwhelming.

Game of Thrones has the honor of becoming the most-downloaded TV show through BitTorrent for the fifth year in a row.

This means that its half-decade reign remains unchallenged, despite reports to the contrary.

Although there was no new swarm record, traffic-wise the interest was roughly on par with last year. The highest number of people actively sharing an episode across several torrents was 350,000 at its peak, this was right after the season finale came online.

This doesn’t necessarily mean that there’s no growth in piracy. A lot of people have made the switch from torrents to streaming sites over the past months, which likely had an impact on the numbers.

This year there’s also an important newcomer with the science-fiction western ‘Westworld.’ The new show quickly gained popularity in pirate circles and is in third spot already, which is quite an achievement.

Finally, we see a continuation of the trend of downloaders showing an increased interest in high-quality video. In recent years, many pirates have moved from 480p copies to 720p and 1080p videos, in part thanks to better broadband availability.

Below we have compiled a list of the most torrented TV-shows worldwide (single episode) for 2016, together with the traditional ratings in the US. The ranking is compiled by TorrentFreak based on several sources, including statistics reported by public BitTorrent trackers.

We have decided to stop reporting download estimates in our yearly top lists. Due to various changes in the torrent index/tracker landscape it’s become more challenging to monitor downloads, so a ranked overview makes most sense.

Most downloaded TV-shows on BitTorrent, 2016

rank last year show
torrentfreak.com
1 (1) Game of Thrones
2 (2) The Walking Dead
3 (…) Westworld
4 (5) The Flash
5 (4) Arrow
6 (3) The Big Bang Theory
7 (7) Vikings
8 (…) Lucifer
9 (10) Suits
10 (…) The Grand Tour

Tagged in:

Pirate Bay is The King of Torrents Once Again

Pirate Bay is The King of Torrents Once Again

NEWS

This week The Pirate Bay quietly celebrated its 13th anniversary. Where other giants have fallen in the past, the notorious Pirate ship has stayed afloat. Today we chat with the TPB-team to discuss their remarkable achievement.

thepirateHollywood hoped that it would never happen, but this week The Pirate Bay quietly turned thirteen years old.

The site was founded in 2003 by Swedish pro-culture organization Piratbyrån (Piracy Bureau). The idea was to create the first public file-sharing network in Sweden, but the site soon turned into the global file-sharing icon it is today.

Over the years there have been numerous attempts to shut the site down. Following pressure from the United States, Swedish authorities raided the site in 2006, only to see it come back stronger.

The criminal convictions of the site’s founders didn’t kill the site either, nor did any of the subsequent attempts to take it offline.

The Pirate Bay is still very much ‘alive’ today.

That’s quite an achievement by itself, looking at all the other sites that have fallen over the years. Just last month KickassTorrents shut down, followed by Torrentz a few days ago.

Many KickassTorrents and Torrentz users are now turning to TPB to get their daily dose of torrents. As a result, The Pirate Bay is now the most visited torrent site, once again.

TorrentFreak spoke to several members of the TPB-crew. While they are not happy with the circumstances, they do say that the site has an important role to fulfil in the torrent community.

“TPB is as important today as it was yesterday, and its role in being the galaxy’s most resilient torrent site will continue for the foreseeable future,” Spud17 says.

“Sure, TPB has its flaws and glitches but it’s still the go-to site for all our media needs, and I can see TPB still being around in 20 or 30 years time, even if the technology changes,” she adds.

Veteran TPB-crew member Xe agrees that TPB isn’t perfect but points to the site’s resilience as a crucial factor that’s particularly important today.

“TPB ain’t perfect. There are plenty of things wrong with it, but it is simple, steadfast and true,” Xe tells TorrentFreak.

“So it’s no real surprise that it is once more the destination of choice or that it has survived for so long in spite of the inevitable turnover of crew.”

And resilient it is. Thirteen years after the site came online, The Pirate Bay is the “King of Torrents” once again.

Finally, we close with a yearly overview of the top five torrent sites of the last decade. Notably, the Pirate Bay is the only site that appears in the list every year, which is perhaps the best illustration of the impact it had, and still has today.

2007

1. TorrentSpy
2. Mininova
3. The Pirate Bay
4. isoHunt
5. Demonoid

2008

1. Mininova
2. isoHunt
3. The Pirate Bay
4. Torrentz
5. BTJunkie

2009

1. The Pirate Bay
2. Mininova
3. isoHunt
4. Torrentz
5. Torrentreactor

2010

1. The Pirate Bay
2. Torrentz
3. isoHunt
4. Mininova
5. BTJunkie

2011

1. The Pirate Bay
2. Torrentz
3. isoHunt
4. KickassTorrents
5. BTJunkie

2012

1. The Pirate Bay
2. Torrentz.com
3. KickassTorrents
4. isoHunt
5. BTJunkie

2013

1. The Pirate Bay
2. KickassTorrents
3. Torrentz
4. ExtraTorrent
5. 1337X

2014

1. The Pirate Bay
2. KickassTorrents
3. Torrentz
4. ExtraTorrent
5. YIFY-Torrents

2015

1. KickassTorrents
2. Torrentz.com
3. ExtraTorrent
4. The Pirate Bay
5. YTS

2016

1. KickassTorrents
2. The Pirate Bay
3. ExtraTorrent
4. Torrentz
4. RARBG

TODAY

1. The Pirate Bay
2. ExtraTorrent
3. RARBG
4. YTS.AG
5. 1337X

‘GAME OF THRONES’ MOST PIRATED TV-SHOW OF 2015

‘GAME OF THRONES’ MOST PIRATED TV-SHOW OF 2015

For the fourth year in a row Game of Thrones has taken the crown for the most pirated TV-show on the Internet. The Walking Dead is firmly in second place, followed by The Big Bang Theory.

got5Game of Thrones has the honor of becoming the most downloaded TV-show for the fourth year in a row.

With an estimated 14.4 million downloads via BitTorrent, the 2015 season finale has beaten the competition by a landslide.

More than half of the downloads occurred in the first week after the show aired and the total exceeds the number of traditional viewers in the US. The Walking Dead and Big Bang Theory complete the top three with an estimated 6.9 and 4.4 million downloads respectively.

Pirates have shown an increase in interest for higher quality releases compared to earlier years. However, the lower quality 480p copies of TV-shows remain by far the most popular among downloaders, followed by 720p and 1080p respectively.

Game of Thrones’ top listing doesn’t come as much of a surprise. Earlier this year it broke an all-time piracy record when more than 258,131 peers shared the same torrent file simultaneously.

Overall there is no sign that TV-show piracy is declining, on the contrary. The download numbers for the most popular shows continues to rise, sometimes exceeding the number of traditional viewers in the US.

Below we have compiled a list of the most downloaded TV-shows worldwide (single episode) for 2015, together with the traditional ratings in the US. The download numbers are estimated by TorrentFreak based on several sources, including statistics reported by public BitTorrent trackers.

Online streaming and downloads for file-hosting services are not included since there are no public sources to draw data from. Total piracy numbers will therefore be significantly higher.

Most downloaded TV-shows on BitTorrent, 2015
rank show est. downloads est. US TV viewers
torrentfreak.com
1 Game of Thrones 14,400,000 8,110,000
2 The Walking Dead 6,900,000 15,780,000
3 The Big Bang Theory 4,400,000 18,300,000
4 Arrow 3,900,000 3,920,000
5 The Flash 3,600,000 4,010,000
6 Mr. Robot 3,500,000 1,750,000
7 Vikings 3,300,000 5,010,000
8 Supergirl 3,000,000 12,960,000
9 The Blacklist 2,900,000 10,110,000
10 Suits 2,600,000 2,380,000
Tagged in: , ,

WHICH VPN SERVICES TAKE YOUR ANONYMITY SERIOUSLY? 2016 EDITION

WHICH VPN SERVICES TAKE YOUR ANONYMITY SERIOUSLY? 2016 EDITION

VPN services have grown increasingly popular in recent years, but not all are completely anonymous. Some VPN services even keep extensive logs of users’ IP-addresses for weeks. To find out which are the best VPNs, TorrentFreak asked several dozen providers about their logging policies, and more.

VPN reviewMillions of people use a VPN service to browse the Internet securely and anonymously. Unfortunately, however, not all VPN services are as anonymous as they claim to be and some keep extensive logs of private information.

To help VPN users to make an informed choice we decided to ask dozens of VPN services how they protect the privacy of their users. Today we present the fifth iteration of our annual VPN services “logging” review.

In addition to questions about logging policies we also asked VPN providers about various other privacy related issues.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, what information and for how long?

2. What is the registered name of the company and under what jurisdiction(s) does it operate?

3. Do you use any external visitor tracking, email providers or support tools that hold information of your users / visitors?

4. In the event you receive a takedown notice (DMCA or other), how are these handled?

5. What steps are taken when a valid court order or subpoena requires your company to identify an active user of your service? Has this ever happened?

6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

7. Which payment systems do you use and how are these linked to individual user accounts?

8. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide DNS leak protection and tools such as “kill switches” if a connection drops?

9. Do you offer a custom VPN application to your users? If so, for which platforms?

10. Do you use your own DNS servers?

11. Do you have physical control over your VPN servers and network or are they hosted by/accessible to a third party?

12. What countries are your servers located in?

What follows is the list of responses from the VPN services, in their own words. Providers who didn’t answer our questions directly or failed by logging extensively were excluded. We specifically chose to leave room for detailed answers where needed. The order of the list holds no value.

PRIVATE INTERNET ACCESS

VPN review1. We do not store logs relating to traffic, session, DNS or metadata. In other words, we do not log, period. Privacy is our policy.

2. We’re known as London Trust Media, Inc., and we are located in the US, one of the few countries that do not have a mandatory data retention policy. Additionally, since we operate in the country with the strongest of consumer protection laws, our beloved clients are able to purchase with confidence.

3. We take advantage of Google Apps and Analytics. All of our systems and support tools are in-house.

4. We do not monitor our users, period. That said, we have an active proprietary system in place to help mitigate abuse.

5. Every subpoena is scrutinized to the highest extent for compliance with both the “spirit” and “letter of the law.” We have not received a valid court order. All this being said, we do not log and do not have any data on our customers other than their e-mail and account username.

6. Yes. We do not censor our servers, period.

7. We utilize a variety of payment systems, including, but not limited to: PaypPal, Credit Card (with Stripe), Amazon, Google, Bitcoin, Stellar, Ripple, CashU, any major store bought gift card and OKPay. Over 100 new forms of international payment coming soon.

8. Currently, the most secure and practical encryption algorithm that we recommend to our users would be our cypher suite of AES-256 + RSA4096 + SHA256. That being said, AES-128 is still safe. Our users specifically also gain a plethora of additional protections, including but not limited to:

(a) Kill Switch: Ensure that traffic is routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic will not route. (b) IPv6 Leak Protection: Protects clients from websites which may include IPv6 embeds, which could leak to IPv6 IP information coming out. (c) DNS Leak Protection: This is built-in and ensures that DNS requests are made through the VPN on a safe, private, no-log DNS daemon. (d) Shared IP System: We mix clients’ traffic with many other clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.

9. We have a great application to which our users have left amazing reviews. It is supported on the following platforms: Windows, Mac OS X, Linux, Android, iOS and a Chrome Extension (Coming soon).

Additionally, users of other operating systems can connect with other protocols including OpenVPN and IPSec among others. Our application maintains connection debug information, stored safely, locally and is regularly destroyed. This is for users who wish to seek assistance in the rare case of connection issues.

10. Yes, we operate our own DNS servers on our high throughput network. These servers are private and do not log.

11. We utilize third party datacenters that are operated by trusted friends and, now, business partners who we have met and completed serious diligence on. Our servers are located in facilities including 100TB, UK2, SoftLayer, Choopa, Leaseweb, among others.

12. We’re currently located in: USA, Canada, United Kingdom, Australia, New Zealand, Netherlands, Sweden, Norway, Denmark, Switzerland, France, Germany, Ireland, Italy, Russia, Romania, Turkey, Hong Kong, Singapore, Japan, Israel, Mexico, Brazil, India, Finland (Coming soon) and Spain (Coming soon)

We have over 3,000 servers deployed at the time of writing with over 500 in manufacture/shipping.

Private Internet Access website

TORGUARD

VPN review1. No logs or time stamps are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network. In addition to a strict no logging policy we run a shared IP configuration across all servers. Because there are no logs kept with multiple users sharing a single IP address, it is not possible to match a user with an IP and time stamp.

2. TorGuard is owned and operated by VPNetworks LLC under US jurisdiction, with our parent company VPNetworks LTD, LLC based in Nevis.

3. We use Sendgrid for bulk email services and encourage users to take advantage of TorGuard’s free email service for increased anonymity during signup. Our 24/7 live chat services are managed by Livechatinc’s platform. Advanced support desk requests are maintained by TorGuard’s own internal support ticketing system.

4. Because we do not host any content it is not possible for us to remove anything from a server. In the event a valid DMCA notice is received it is immediately processed by our abuse team. Due to our no log policy and shared IP network configuration we are unable to forward any requests to a single user.

5. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of a shared IP configuration and the fact that we do not hold any identifying logs. No, we remain unable to identify any active user from an external IP address and time stamp.

6. Yes, BitTorrent and all P2P traffic is allowed. By default we do not block or limit any types of traffic across our network.

7. We currently accept over 200 different payment options through all forms of credit card, PayPal, Bitcoin, altcoins (e.g. dogecoin, litecoin + more), Alipay, UnionPay, CashU, 100+ Gift Cards, and many other methods. No usage can be linked back to a billing account due to the fact that we maintain zero logs across our network.

8. For best security we advise clients to use OpenVPN connections only and for encryption select AES256 with 2048bit RSA. AES128 is also considered very safe and is a great option if download speed is a priority. Yes, TorGuard provides a full range of security features including a connection kill switch, application kill switch, DNS leak protection, IPv6 leak protection, WebRTC leak protection, and Stealth VPN services. All encryption and security features are available to clients at no additional charge.

9. TorGuard offers a custom VPN application powered by OpenVPN for all versions of Windows, OSX, Linux and Android. We also offer a custom iOS app available on iTunes, however due to Apple’s API restrictions the app uses IPsec for VPN connections. TorGuard’s custom VPN applications do not store any connection logs on the user’s local machine.

10. Yes, we offer all clients the choice between private no log TorGuard DNS servers or Level 3 and Google DNS servers. Members also have the option of using TorGuard local DNS, which is a no log DNS solution running locally on each VPN endpoint.

11. Yes, we retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by our in house networking team via a single, secure key.

12. TorGuard currently maintains thousands of servers in over 49 countries around the world and we continue to expand the network every month. All customers get full access to our network with servers in: Australia, Belgium, Brazil, Canada, China, Costa Rica, Czech Republic, Denmark, Egypt, Finland, France, Germany, Greece, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Italy, Japan, Korea, Latvia, Luxembourg, Malaysia, Mexico, Moldova, Netherlands, New Zealand, Norway, Panama, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Thailand, Tunisia, Turkey, Ukraine, United Kingdom, USA, and Vietnam.

TorGuard website

SLICKVPN

slickvpn1. SlickVPN does not log any traffic nor session data of any kind.

2. Slick Networks, Inc. is our recognized corporate name. We operate a complex business structure with multiple layers of Offshore Holding Companies, Subsidiary Holding Companies, and finally some Operating Companies to help protect our interests. The main marketing entity for our business is based in the United States of America and an operational entity is based out of Nevis.

3. We utilize third party email systems to contact clients who opt in for our newsletters and Google Analytics for basic website traffic monitoring and troubleshooting.

4. If a valid DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session, otherwise we are unable to act on any complaint as we have no way of tracking down the user. It is important to note that we ALMOST NEVER receive a VALID DMCA complaint while a user is still in an active session.

5. This has never happened in the history of our company. Our customer’s privacy is of top most importance to us. We are required to comply with all valid court orders. We would proceed with the court order with complete transparency, but we have no data to provide any court in any jurisdiction. We would not rule out relocating our businesses to a new jurisdiction if required.

6. Yes, all traffic is allowed.

7. We accept PayPal, Credit Cards, Bitcoin, Cash, and Money Orders. We keep user authentication and billing information on independent platforms. One platform is operated out of the United States of America and the other platform is operated out of Nevis. We offer the ability for the customer to permanently delete their payment information from our servers at any point. All customer data is automatically removed from our records shortly after the customer ceases being a paying member.

8. We recommend using OpenVPN if at all possible (available for Windows, Apple, Linux, iOS, Android) and it uses the AES-256-CBC algorithm for encryption.

Our Windows and Mac client incorporates IP and DNS leak protection which prevents DNS leaks and provides better protection than ordinary ‘kill-switches’. Our IP leak protection proactively keeps your IPv4 and IPv6 traffic from leaking to untrusted networks. This was one of the first features we discussed internally when we were developing our network, it is a necessity for any good VPN provider.

SlickVPN Scramble is available to all of our customer accounts. This feature provides an added level of privacy by obfuscating the OpenVPN headers allowing the customer to bypass Deep Packet Inspection (DPI). Using SlickVPN Scramble will allow users to access our network when VPN access is restricted by certain countries, universities, workplaces, or organizations. We also offer our HYDRA product, which utilizes revolutionary multi-hop, multi-destination connections to block anyone from tracking your online activities.

9. Yes. Our users are provided with a custom client, designed by our in-house engineers. Currently, the client works with Windows and Mac products. Our client does NOT store logs on customer computers by default. We also provide guides for every other platform.

10. Yes

11. We run a mix. We physically control some of our server locations where we have a heavier load. Other locations are hosted with third parties unless there is enough demand in that location to justify racking our own server setup. To ensure redundancy, we host with multiple providers in each location. We have server locations in over forty countries. In all cases, our network nodes load over our encrypted network stack and run from ramdisk. Anyone taking control of the server would have no usable data on the disk. We run an algorithm to randomly reboot each server on a regular basis so we can clear the ramdisk.

12. At SlickVPN we actually go through the expense of putting a physical server in each country that we list. There are: Australia, Austria, Belgium, Brazil, Bulgaria, Canada, Chile, China, Czech Republic, Denmark, France, Germany, Hong Kong, Hungary, Iceland, India, Indonesia, Ireland, Israel, Italy, Japan, Latvia, Liechtenstein, Luxembourg, Macau, Malaysia, Netherlands, New Zealand, Norway, Panama, Poland, Portugal, Republic of Kosovo, Romania, Russian Federation, Singapore, South Africa, Spain, Sweden, Switzerland, Taiwan, Thailand, Turkey, Ukraine, United Kingdom and United States

SlickVPN website

IPREDATOR

ipredator1. No logs are retained that would allow the correlation of a user’s IP address to a VPN address. The session database does not include the origin IP address of the user. Once a connection has been terminated the session information is deleted from the session database.

2. The name of the company is PrivActually Ltd. which operates out of Cyprus.

3. We do not use any visitor tracking mechanism not even passive ones analyzing the webserver logs. Neither do we use a ticket system to manage support requests. We stick to a simple mail system and delete old data after 3 months from our mail boxes.

4. The staff forwards them to the BOFH. Notices sent via paper are usually converted into energy by combustion … to power the data center in the basement where the BOFH lives. Digital SPAM^WDMCA notices are looped back into the kernel to increase the VPNs /dev/random devices entropy.

5. We evaluate the request according to the legal framework set forth in the jurisdictions we operate in and react accordingly. We had multiple cases where somebody tried but did not succeed to identify active users on the system. Examples:

– A french company which sent lawyers to identify a whistle-blower.
– The Polish police which contacted us because somebody made a bomb threat in a bigger mall in Poland.
– The Russian oligarch state which tried to learn who was hosting a torrent website on the VPN.

All cases were resolved without disclosing the identities. Our general stance is that IF we are in a position where we would need to weigh common good vs. running the VPN service we would sacrifice the VPN service.

6. Besides filtering SMTP on port 25 we do not impose any restrictions on protocols our users can use on the VPN, quite the contrary. We believe our role is to provide a net-neutral internet access.

Every user is free to share his/her/its files. We are conservative people and firmly believe in the heritage of our society, which was built upon the free exchange of cultural knowledge. This new age patent system, and the idea that we need companies who milk creators are simply alien to us.

7. We offer PayPal, Bitcoins, Payza, and PaySon fully integrated. OkPay, Transferwise, WU, PerfectMoney, Webmoney, Amazon Giftcards, Cash and Credit Cards on request. An internal transaction ID is used to link payments to their payment processors. We do not store any other data about payments associated with the users account.

8. We provide up to date config files and enforce TLS1.2 for the control channel on all supported systems. For further protection we provide detailed setup instructions for our users. Besides the public and VPN internal DNS servers we also support DNSCrypt as a means to encrypt DNS requests. Howtos for kill switches are available as well. We do not enforce a particular client.

9. Not at the moment.

10. As stated in 8) we run both public and VPN internal DNS Servers and also support DNSCrypt.

11. We own our complete setup, network, and data center with everything in it – no 3rd parties are allowed access. We do not trust in 3rd parties operating our core infrastructure. More details are available here.

12. They are in Sweden due to the laws that allow us to run our service in a privacy protecting manner.

Ipredator website

IPVANISH

ipvanish1. IPVanish is a no log VPN.

2. Mudhook Marketing, Inc. State of Florida

3. We use basic inbound marketing tools like Google Analytics, but we do not track user activities outside of our site. We also do not track the browsing activities of users who are logged into our VPN service.

4. We do not store, host, stream or provide any content, media, images or files that would be subject to a properly formed takedown notice.

5. First, any request has to be a valid and lawful request before we will even acknowledge the request. If the request is for user data or identification of a subscriber based on an IP address, we inform the agency making the request that we do not keep any logs and we operate in a Jurisdiction that does not require mandatory data retention. Sometimes, legal agencies or authorities may not be happy with this response. We politely remind them that IPVanish operates within the letter of the law and is a valid and needed service to protect the privacy of its subscribers.

6. Yes.

7. Bitcoin, PayPal and all major credit cards are accepted. Payments and service use are in no way linked.

8. We recommend OpenVPN with 256 bit AES as the most secure VPN connection and encryption algorithm.

IPVanish does have a Kill Switch feature that terminates all network traffic to prevent any DNS leaks in the event your VPN connection drops. We also have a user-enabled option that automatically changes your IP address randomly at selected time intervals.

9. Yes. iOS, Android, Windows and Mac. IPVanish is also configurable with DD-WRT and Tomato routers (pre-configured routers available), gaming consoles, Ubuntu and Chromebook.

10. Yes.

11. We own and have physical control over our entire operational infrastructure, including the servers. Unlike other VPN services, we actually own and operate a global IP network backbone optimized for VPN delivery which insures the fastest speeds of any VPN provider.

12. We have servers in over 60 countries including the US, Australia, United Kingdom, Canada and more. You can view the complete list on our servers page.

IPVanish website

MULLVAD

VPN review1. No. This would make both us and our users more vulnerable so we certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users share each address, both for IPv4 and IPv6.

2. Amagicom AB. Swedish.

3. We have no external elements at all on our website. We do use external email and encourage people sending us email to use PGP encryption, which is the only effective way to keep email somewhat private. The decrypted content is only available to us.

4. There is no such Swedish law that is applicable to us.

5. We get requests from governments from time to time. They never get any information about our users. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.

6. Yes.

7. Bitcoin, cash (in the mail), bank transfers, and PayPal / credit cards.

8. OpenVPN (using the Mullvad client program).

Regarding crypto ideally we would recommend Ed25519 for certificates, Curve25519 for key exchange (ECDHE), and ChaCha20-Poly1305 for data streams but that suite isn’t supported by OpenVPN. We therefore recommend and by default use RSA-2048, D-H (DHE) and AES-256-CBC-SHA.

That said, cryptographic algorithms, key lengths etc are usually the strongest part of a system and hardly ever the right thing to focus on. It’s like worrying about whether to have a 128 mm or 256 mm thick steel door on a house with wooden walls and glass windows.

We provide a kill switch and DNS leak protection as well as IPv6 leak protection (and IPv6 tunneling).

9. Yes. Windows, Linux and OS X. The client program stores connection logs for the current and last time it ran on the its computer.

10. Yes.

11. We have a range of servers. On one end servers lovingly assembled and configured by us with ambitious physical security in data centers owned and operated by people we trust personally and whose ideology we like. On the other end rented hardware in big data centers. Which to use depends on the threat model and performance requirements.

12. Sweden, the Netherlands, USA, Germany and Canada.

Mullvad website

BLACKVPN

VPN review1. No. We purge this information when the user disconnects from the VPN.

2. BLACKVPN LIMITED is registered company in Hong Kong and operates under the jurisdiction of Hong Kong.

3. We use StreamSend for sending generic welcome and renewal reminder emails, as well as for the occasional news updates. We have Facebook and Twitter widgets on our front page that may track visitors. We host our own website analytics, support system and live chat systems using open source tools.

4. We temporarily block the port on the VPN server listed in the notice.

5. If we received a valid court order from a Hong Kong court then we would be legally obliged to obey it. This has never happened yet.

6. It is only allowed on our Privacy VPN locations, due to stricter enforcement of these notices in the USA and UK.

7. PayPal, Bitcoin and PaymentWall (for Credit Cards and Bank Transfers). The transaction details (ID, time, amount, etc) are linked to each user account.

8. We always recommend OpenVPN and our VPN servers enforce AES-256-CBC encryption and use 4096 bit RSA and Diffie Hellman keys. The open source OpenVPN client can now be configured for DNS leak prevention and not to leak any traffic if VPN the connection drops. We package the Windows OpenVPN client pre-configured this way for our users, and we also package the OS X Tunnelblick app to prevent IP leaks too.

9. Android – currently in beta but almost ready for release. Only the connection log from the last connection is kept.

10. We proxy DNS queries to UncensoredDNS.org / CensurfriDNS.dk

11. We use dedicated servers which are hosted in 3rd party data centers.

12. USA, UK, Canada, Brazil, Netherlands, Switzerland, Luxembourg, Estonia, Lithuania, Romania, Russia, Ukraine, Singapore and Australia

BlackVPN website

IVPN

ivpn1. No, this is fundamental to the service we provide. It is also in our interests not to do so as it minimizes our own liability and is not required by law.

2. Privatus Limited, Gibraltar.

3. No. We made a strategic decision from day one that no company or customer data would ever be stored on 3rd party systems. Our customer support software, email, web analytics (Piwik), issue tracker, monitoring servers, code repo’s, configuration management servers etc. all run on our own dedicated servers that we setup, configure and manage. No 3rd parties have access to our servers or data.

4. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we never store the IP addresses of customers connected to our network nor are we legally required to do so.

5. Firstly, this has never happened. However, if asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information, so we are unable to provide it. If they provide us with an email address and asked for the customer’s identity then we would reply that we do not store any personal data. If the company were served with a valid court order that did not breach the Data Protection Act 2004 we could only confirm that an email address was or was not associated with an active account at the time in question.

6. Yes, we don’t block BitTorrent or any other protocol on any of our servers. We do kindly request that our customers use non-USA based exit servers for P2P. Any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.

7. We accept Bitcoin, Cash, PayPal and credit cards. When using cash there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin. When paying with PayPal or a credit card a token is stored that is used to process recurring payments. This information is deleted immediately when an account is terminated.

8. We provide RSA-4096 / AES-256 with OpenVPN, which we believe is more than secure enough for our customers’ needs. If you are the target of a state level adversary or other such well-funded body you should be far more concerned with increasing your general opsec than worrying about 2048 vs 4096 bit keys.

The IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible (DNS, network failures, WebRTC STUN, IPv6 etc.). It also has an ‘always on’ mode that will be activated on boot before any process on the computer starts. This will ensure than no packets are ever able to leak outside of the VPN tunnel.

9. Yes, we offer a custom OpenVPN based client for Windows and OSX which includes our advanced VPN firewall that blocks every type of possible IP leak.

10. Yes, absolutely.

11. We use bare metal dedicated servers leased from 3rd party data centers in each country where we have a presence. We install each server using our own custom images and employ full disk encryption to ensure that if a server is ever seized it’s data is worthless. We also operate an exclusive multi-hop network allowing customers to choose an entry and exit server in different jurisdictions which would make the task of legally gaining access to servers at the same time significantly more difficult.

12. Iceland, Switzerland, Sweden, United Kingdom, Netherlands, Germany, Romania, France, Italy, Hong Kong, USA, Canada,

IVPN website

LIQUIDVPN

liquid1. No, we do not.

2. LiquidVPN Inc out of Wyoming, USA

3. We use Google Analytics with Anonymous IPs turned throughout the site. We use Facebook insights and Open Graph on our front end website to track our blogs impact on social media. We use Stripe as our credit card processor.

4. All datacenters in the USA require some response now. Some are just a simple checkbox, and others want a written reply. We have had to remove servers from several locations because of our zero log policy. We respect and abide by U.S. and EU copyright laws including the requirements of the DMCA and rely on our users to do the same. Because we do not log our users’ activities we are not able to identify users, that may be infringing the legal copyrights of others.

5. This has never happened. Depending on your payment method we limit the amount of personal data on file. So much so that if a user pays with Bitcoin it is just a first name and email address. If a valid court order comes in asking us to identify someone that is in our system, we would be required to provide that persons billing information. Even if it is just a transaction number, first name and email address.

6. Yes, they are.

7. We currently accept Credit cards, BTC, cash and PayPal. Billing and Authentication are separate. Recently we have completely overhauled our billing and authentication infrastructure to make use of SHA512 salted credentials that our billing system updates using encrypted tokens. Everything related to billing and user authentication that is sent “over the wire” is done so with the use of proxies on both sides that encrypt the data using 256 bit AES encryption and pass it to another proxy that turns it back into something our authentication network can process.

8. Well if you are concerned about your privacy then use our IP Modulation. Which changes a user’s public IP address several times during a single page load. It can sometimes break websites, so we recommend it only for that 1% of users.

We use AES-256-CBC, 4096 bit RSA keys and SHA512 auth. Currently, it is the best encryption OpenVPN supports natively. Our software comes with a tool called Liquid Lock which builds custom firewall rules using your Operating systems firewall to prevent DNS leaks, disconnect leaks, WebRTC leaks, IPv6 leaks and any other type of leak preventable with firewall rules.

9. Yes, we do. We have Windows, Mac and Android applications currently available. OSX and Linux are in production. Our client only keeps essential connection logs for the active session, once the session is disconnected the logs erase from memory.

10. Yes, they provide SMART DNS functionality for USA and UK content providers.

11. We have control over our network. Every server we own runs on either a custom compiled Gentoo kernel or RouterOS. We lease the hardware from tier 3 or higher datacenters all over the world. No one but us has access to these servers.

12. Currently, we have multiple USA and the Netherlands locations. We also have servers in Canada, the United Kingdom, Sweden, Germany, Romania, Singapore and Switzerland.

LiquidVPN website

SMARTVPN

smartvpn
1. We don’t keep any kind of logs.

2. The company name is Anonymous SARL and operates under the jurisdiction of the Kingdom of Morocco.

3. We use Google Analytics and Tawk live support.

4. There is nothing to take down since we don’t host any files in the first place.

5. This has never happened before, but we won’t be able to cater their demand as we can’t identify that user within our system.

6. BitTorrent and other P2P protocols are allowed on all our servers.

7. We use BitPay ( BitCoins ), PayPal, HiPay.

8. We recommend OpenVPN for Desktop and IKEv2 for Mobile devices, As of the encryption we use AES-256-CBC algorithm. DNS leak protection is already enabled however “kill switches” will be available soon.

9. We provide custom VPN application for Mac and Windows-based on OpenVPN, and Mobile apps ( Android and iOS ) based on IKEv2. And again.. we do not keep any connections logs.

10. We use our own DNS servers.

11. We have a mix, physical control over most of our infrastructure and some exotic locations are hosted by 3rd party partners.

12. Germany, Netherlands, France, USA, Morocco, Russia, Canada, United Kingdom, Spain, Italy, Ukraine, Singapore, Brazil, Korea, Sydney, Ireland, Japan and Isle Of Man… And of course new servers/locations are added on a weekly basis.

SmartVPN website

PRIVATEVPN

privatevpn1. We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user of our service. We value the privacy of our customers.

2. Privat Kommunikation Sverige AB and we operate under Swedish jurisdiction.

3. We use a service from Provide Support (ToS) for live support. They do not hold any information about the chat session. From Provide support: Chat conversation transcripts are not stored on Provide Support chat servers. They remain on the chat server for the duration of the chat session, then optionally sent by email according to the user account settings, and then destroyed. We’re also using Google Analytics and Statcounter for collecting static of how many visitors we have, popular pages and conversion of all ads. This data is used for optimization of the website and advertisement.

4. We do not store any kind of logs of our customers’ activity, which also will be informed.

5. Due to our policy of NOT keeping any logs, there is nothing to provide about users of our service. It has never happened.

6. Yes, we allow Torrent traffic. We buy high-capacity internet traffic so we can meet the demands. On some locations we use Tier1 IP transit providers for best speed and routing to other peers.

7. PayPal, Payson, Bitcoin. Every payment has an order number, which is linked to a user. Otherwise we wouldn’t know who has made a payment. To be clear, you can’t link a payment to an IP address you get from us or a user activity.

8. OpenVPN TUN with AES-256. On top is a 2048-bit DH key. For our Windows VPN client, we have a feature called “Connection guard”, which will close a selected program(s) if the connection drop. We have no tools for DNS leak but, best way, which is always 100%, is to change the local DNS on the device to DNS servers we provide. We’re working with a feature that doing this so the customer don’t need to change it manually for 100% protection.

9. Yes, for Windows. We’re working on a custom VPN application for Mac OS X also. Our VPN application, as all other VPN applications, stores a connection log local on the computer for troubleshooting purpose. This information is only stored locally and can’t be accessed by us or anyone else. The connection logs contains information about which VPN server the user is connecting to and any kind of errors.

10. We use a DNS from Censurfridns.

11. We have physical control over our servers and network in Sweden. All other servers and networks are hosted by ReTN, Kaia Global Networks, Leaseweb, Blix, Creanova, UK2, Fastweb, Server.lu, Selectel and Netrouting. We ONLY work with trusted providers.

12. Sweden, United States, Switzerland, Great Britain, France, Denmark, Luxembourg, Finland, Norway, Romania, Russia, Germany, Netherlands, Canada, Singapore, Australia, Spain, Italy, Poland and Ukraine. We’re still expanding our locations on customers’ demands.

PrivateVPN website

CRYPTOSTORM

cryptostorm
1. Nope, no logs. We use OpenVPN with logs set to /dev/null, and we’ve even gone the extra mile by preventing client IPs from appearing in the temporary “status” logs using our patch available at https://cryptostorm.is/noip.diff.

2. We’re a decentralized project, with intentional separation of loosely-integrated project components. We own no intellectual property, patents, trademarks, or other such things that would require a corporate entity in which ownership could be enforced by the implied threat of State-backed violence; all our code is published and licensed opensource.

3. No, we don’t use any external visitor tracking or email providers..

4. Our choice is to reply to any such messages that are not obviously generated by automated (and quite likely illegal) spambots. In our replies, we ask for sufficient forensic data to ascertain whether the allegation has enough merit to warrant any further consideration. We have yet to receive such forensic data in response to such queries, despite many hundreds of such replies over the years.

5. See above. We have never received any valid court orders requesting the identity of a user, but if we ever did receive such a request, it would be impossible for us to comply as we keep no such information.

6. Yes, all traffic is allowed.

7. We accept PayPal and bitcoin via BitPay, although we will manually process any other altcoin if a customer wishes. We don’t have financial information connected in any way to the real-life identity of our network members; our token-based authentication system removes this systemic connection, and thus obviates any temptation to “squeeze” us for private data about network membership. We quite simply know nothing about anyone using our network… save for the fact that they have a non-expired (SHA512 hash of a) token when they connect. Also, we now process BitPay orders instantly in-browser, so we no longer require an email address for bitcoin orders.

8. We only support one cipher suite on-net. Offering “musical chairs” style cipher suite roulette is bad opsec, bad cryptography, and bad administrative practice. There is no need to support deprecated, weak, or known-broken suites in these network security models; unlike browser-based https/tls, there are no legacy client-side software suites that must be supported. As such, any excuse for deploying weak cipher suites is untenable. Everyone on cryptostorm receives equal and full security attention, including those using our free/capped service “Cryptofree”

There are no “kill switch” tools available today that actually work. We have tested them, and until we have developed tools that pass intensive forensic scrutiny at the NIC level, we will not claim to have such. Several in-house projects are in the works, but none are ready yet for public testing.

We take standard steps to encourage client-side computing environments to route DNS queries through our sessions when connected. However, we cannot control things such as router-based DNS queries, Teredo-based queries that slip out via IPv6, or unscrupulous application-layer queries to DNS resolvers that, while sent in-tunnel, nevertheless may be using arbitrary resolver addressing. Our Windows client attempts to prevent some of this, but it’s currently impossible to do so completely. We are saddened to see others who claim they have such “magical” tools; getting a “pass” from a handful of “DNS leak” websites is not the same as protecting all DNS query traffic. Those who fail to understand that are in need of remedial work on network architecture.

As we run our own mesh-based system of DNS resolvers, “deepDNS”, we have full and arbitrary control over all levels of DNS resolution presentation to third parties.

9. We offer an open source application written in Perl (dubbed the “CS widget”), source code available at GitHub. Currently only for Windows, but we are working on porting it to Linux. The application is essentially an OpenVPN GUI with some tweaks here and there to prevent different types of leaks (DNS, IPv6, etc.), and to make connecting as easy as possible. Output from the backend OpenVPN process is shown in the GUI. When you exit the program, that data is forgotten.

10. We have constructed a mesh-topology system of redundant, self-administered secure DNS resolvers which has been collected under the label of “deepDNS”. deepDNS is a full in-house mechanism that prevents any DNS related metadata from being tied to any particular customer. It also allows us to provide other useful features such as transparent .onion, .i2p, .p2p, etc. access. There is also DNSCrypt support on all deepDNS servers to help protect pre-connect DNS queries.

11. We deploy nodes in commodity datacenters that are themselves stripped of all customer data and thus disposable in the face of any potential attacks that may compromise integrity. We have in the past taken down such nodes based on an alert from onboard systems and offsite, independently maintained remote logs that confirmed a violation was taking place. It is important to note that such events do not explicitly require us to have physical control of the machine in question: we push nameserver updates, via our HAF (Hostname Assignment Framework) out via redundant, parallel channels to all connected members and by doing so we can take down any node on the network within less than 10 minutes of initial commit.

12. Our current server list (as of the beginning of 2016) are: Moldova, Switzerland, Canada, Portugal, Germany, Italy, France, England ans USA. Keep in mind that we are constantly adding new servers to this list.

CryptoStorm website

BOLEHVPN

bolehvpn1. No.

2. BV Internet Services Limited, Seychelles.

3. We use Zendesk and Zopim but will be weening this off. We generally delete Zendesk tickets older than 6 months. We are exploring moving to open source self hosted options (such as osticket) but feel that the user experience of such options are less than ideal. This is definitely an area that we are actively looking at with the revision of our customer portal that is underway. We have been using Google Analytics to gauge our conversions and where our customers are coming from but have removed this. E-mail is self hosted.

4. Generally we work with the providers to resolve the issue and we have never given up any of our customer information. Generally we terminate our relationship with the provider if this is not acceptable. Our US servers under DMCA jurisdiction or UK (European equivalent) have P2P locked down.

5. This has not happened yet but we do not keep any user logs so there is not much that can be provided especially if the payment is via an anonymous channel. One of our founders is a lawyer so such requests will be examined on its validity and will resist such requests if done without proper cause or legal backing. We also endeavor to keep our customers informed if there are any such requests. If we are prevented from doing so, we also maintain a PGP signed warrant canary which is updated in the first week of every month which will cease to be updated if we are required to log without informing our users. (http://bolehvpn.net/canary.html)

6. Yes, it is allowed except on those marked Surfing-Streaming and BolehGEO which are restricted either due to the provider’s policies or limited bandwidth.

7. We use MolPay, 2Checkout, Paypal, Coinbase (Bitcoin), Coinpayments (Dash and XEM) and direct deposits. On our system it is only marked the Invoice ID, the account it’s for, the method of payment and whether it’s paid or not. We however of course do not have control of what is stored with the payment providers.

8. Our Cloak configurations implement 256 bit AES and a SHA-512 HMAC combined with a scrambling obfuscation layer. We do have a lock down/kill switch feature and DNS leak protection.

9. Yes, for Windows and Mac OS X. There’s a basic user log with a very minimal verbosity level of 1 (where 0 is silent and 9 is most verbose) stored in log.txt in the installation folder. Users are free to delete this if they wish from time to time. They are mainly used for troubleshooting purposes.

10. Yes, we do use our own DNS servers.

11. Our servers are rented from server providers throughout the world with whom we have built a longstanding relationship. However we do retain full root access. We are not a white label reseller and control our own infrastructure. It is to be noted that our VPN service authenticates entirely using public key infrastructure (PKI) without the requirement to use a central authentication server. This means that there is no communication needed from our customer portal server to establish a valid VPN connection to our VPN servers meaning there is no central authentication point.

12. We have servers in Canada, France, Germany, Italy, Japan, Luxembourg, the Netherlands, Singapore, Switzerland, United Kingdom and United States.

BolehVPN website

AZIREVPN

azire1. No

2. Nessla AB, registered in Sweden.

3. No, 100% self-hosted, no third parties at all.

4. Since DMCA is not applicable in Sweden, these are ignored. If they keeping sending e-mails we politely tell them that we cannot hand out any information or stop the activity since we have no possibility to trace the user, and no logs are kept.

5. We inform the other party that we are unable to hand out any information since we do not keep any logs or monitor the traffic.

6. Yes

7. PayPal, Credit card, Bitcoins, Swish.

8. AES-256-CBC with SHA512 HMAC and TLS authentication. We do not provide any kill switches but since our DNS servers are open for anyone to use we recommend all users to use them as default DNS servers to prevent leaks and blocking from their own ISP’s DNS.

9. No. We use the official open-source’d OpenVPN client.

10. Yes, hosted in-house.

11. We have physical control over our servers.

12. Sweden, USA.

AzireVPN website

ANONYMIZER

anonimizer1. Anonymizer does not log ANY traffic that traverses our system, ever. We do not maintain any logs that would allow you to match an IP-address and time stamp to a user of our service.

2. Our company is registered as Anonymizer Inc. Anonymizer Inc. operates under U.S. jurisdiction where there are no data retention laws.

3. Anonymizer uses a ticketing system for support, but does not request user verification unless it is needed specifically in support of a ticket. Anonymizer uses a bulk email service for email marketing, but does not store any details on the individual email address that would connect them to being an existing customer. Anonymizer uses Google Analytics and Google Adwords to support general marketing to new customers. Both of these tools do not store identifiable information on any unique customer or any way to identify a specific individual as a user of our service. We also actively ensure no link is created to from the data in either system to any specific customer following a trial or purchase of our product.

4. We can’t. We don’t monitor or log traffic. When we receive reports of abuse, we have no way to isolate or remediate it.

5. Anonymizer Inc. only responds to official valid court orders or subpoenas that comply with information we have available. Since we do not log any traffic that comes over our system, we have nothing to provide in response to requests associated to service use. If a user paid by credit card we can only confirm that they purchased access to our service. There is, and would be, no way to connect a specific user to specific traffic ever. There have been instances were we did receive valid court orders and followed our above procedures. In the 20 years of service we have never identified details about a customer’s traffic or activities.

6. All traffic is allowed on all of our servers.

7. Anonymizer Inc. uses a payment processor for our credit card payments. There is a record of the payment for the service and the billing information associated to the credit card confirming the service has been paid for. We also offer a cash payment option and will soon offer crypto-currency options i.e. Bitcoin. Cash payment options do not store any details.

8. We would recommend OpenVPN for a user that is looking for the most secure connection. We feel it is the most reliable and stable connection protocol currently. Our OpenVPN implementation uses AES-256. We also offer L2TP, which is IPSEC. Anonymizer’s client software has the option to enable a kill switch that prevents any web traffic from exiting your machine without going through the VPN.

9. We offer a custom VPN application for OSX and Windows. Our default application log only logs fatal errors that occur within the application which prevents the application from running.

10. Yes, we operate our own DNS servers.

11. We own ALL of our hardware, and have full physical control of our servers. No third party has access to our environment.

12. We have servers in the United States and Netherlands.

Anonymizer website

MORE VPN PROVIDERS WITHOUT LOGS

STRONGVPN

VPN LAND

ACEVPN

OCTANEVPN

VPNAUS

ZORROVPN

HIDE.ME

AIRVPN

HIDEIPVPN

OVPN

PERFECT PRIVACY

PROXY.SH

VPNSECURE

SECUREVPN.TO

TRUST.ZONE

DOUBLEHOP

NORDVPN

VIKINGVPN

SHADEYOUVPN

GHOSTPATH

STEGANOS

EXPRESSVPN

FROOTVPN

CYBERGHOST

OVPN.TO

VPN PROVIDERS WITH SOME LOGS (MAX 7 DAYS)

CACTUSVPN

NOLIMITVPN

VPN.AC

VPN UNLIMITED

FACELESS

IRONSOCKET

IBVPN

SEED4.ME

VPN providers who think they deserve a listing in this overview are welcome to get in touch.

Hola VPN Sells Users’ Bandwidth, Founder Confirms

Hola VPN Sells Users’ Bandwidth, Founder Confirms

Posted: 28 May 2015 08:21 AM PDT

hola-logoFaced with increasing local website censorship and Internet services that restrict access depending on where a user is based, more and more people are turning to specialist services designed to overcome such limitations.

With prices plummeting to just a few dollars a month in recent years, VPNs are now within the budgets of most people. However, there are always those who prefer to get such services for free, without giving much consideration to how that might be economically viable.

One of the most popular free VPN/geo-unblocking solutions on the planet is operated by Israel-based Hola. It can be added to most popular browsers in seconds and has an impressive seven million users on Chrome alone. Overall the company boasts 46 million users of its service.

Now, however, the company is facing accusations from 8chan message board operator Fredrick Brennan. He claims that Hola users’ computers were used to attack his website without their knowledge, and that was made possible by the way Hola is setup.

“When a user installs Hola, he becomes a VPN endpoint, and other users of the Hola network may exit through his internet connection and take on his IP. This is what makes it free: Hola does not pay for the bandwidth that its VPN uses at all, and there is no user opt out for this,” Brennan says.

This means that rather than having their IP addresses cloaked behind a private server, free Hola users are regularly exposing their IP addresses to the world but associated with other people’s traffic – no matter what that might contain.

hola-big
While this will come as a surprise to many, Hola says it has never tried to hide the methods it employs to offer a free service.

Speaking with TorrentFreak, Hola founder Ofer Vilenski says that his company offers two tiers of service – the free option (which sees traffic routed between Hola users) and a premium service, which operates like a traditional VPN.

However, Brennan says that Hola goes a step further, by selling Hola users’ bandwidth to another company.

“Hola has gotten greedy. They recently (late 2014) realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet (right now, for HTTP requests only) at https://luminati.io,” the 8chan owner says.

TorrentFreak asked Vilenski about Brennan’s claims. Again, there was no denial.

“We have always made it clear that Hola is built for the user and with the user in mind. We’ve explained the technical aspects of it in our FAQ and have always advertised in our FAQ the ability to pay for non-commercial use,” Vilenski says.

And this is how it works.

Hola generates revenue by selling a premium service to customers through its Luminati brand. The resources and bandwidth for the Luminati product are provided by Hola users’ computers when they are sitting idle. In basic terms, Hola users get their service for free as long as they’re prepared to let Hola hand their resources to Luminati for resale. Any users who don’t want this to happen can buy Hola for $5 per month.

Fair enough perhaps – but how does Luminati feature in Brennan’s problems? It appears his interest in the service was piqued after 8chan was hit by multiple denial of service attacks this week which originated from the Luminati / Hola network.

“An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan’s post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM,” Brennan says.

Again, TorrentFreak asked Vilenski for his input. Again, there was no denial.

“8chan was hit with an attack from a hacker with the handle of BUI. This person then wrote about how he used the Luminati commercial VPN network to hack 8chan. He could have used any commercial VPN network, but chose to do so with ours,” Vilenski explains.

“If 8chan was harmed, then a reasonable course of action would be to obtain a court order for information and we can release the contact information of this user so that they can further pursue the damages with him.”

Vilenski says that Hola screens users of its “commercial network” (Luminati) prior to them being allowed to use it but in this case “BUI” slipped through the net. “Adjustments” have been made, Hola’s founder says.

“We have communicated directly with the founder of 8Chan to make sure that once we terminated BUI’s account they’ve had no further problems, and it seems that this is the case,” Vilenski says.

It is likely the majority of Hola’s users have no idea how the company’s business model operates, even though it is made fairly clear in its extensive FAQ/ToS [see note below]. Installing a browser extension takes seconds and if it works as advertised, most people will be happy.

Whether this episode will affect Hola’s business moving forward is open to question but for those with a few dollars to spend there are plenty of options in the market. Until then, however, those looking for free options should read the small print before clicking install.

Update: It appears that Hola only recently changed/edited their FAQ to add in the details about Luminati. We have asked the company to tell us exactly when those changes were made. Updates when they arrive.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

Which VPN Services Take Your Anonymity Seriously? 2015 Edition

Securethoughts best VPN (Explains VPN in a more grafical way)

 

 

 

spyBy now most Internet users are well aware of the fact that pretty much every step they take on the Internet is logged or monitored.

To prevent their IP-addresses from being visible to the rest of the Internet, millions of people have signed up to a VPN service. Using a VPN allows users to use the Internet anonymously and prevent snooping.

Unfortunately, not all VPN services are as anonymous as they claim, as several incidents have shown in the past.

By popular demand we now present the fourth iteration of our VPN services “logging” review. In addition to questions about logging practices, we also asked VPN providers about other privacy sensitive policies, so prospective users can make an informed decision.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. Under what jurisdiction(s) does your company operate?

3. What tools are used to monitor and mitigate abuse of your service?

4. Do you use any external email providers (e.g. Google Apps) or support tools ( e.g Live support, Zendesk) that hold information provided by users?

5. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

6. What steps are taken when a valid court order requires your company to identify an active user of your service? Has this ever happened?

7. Does your company have a warrant canary or a similar solution to alert customers to gag orders?

8. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

9. Which payment systems do you use and how are these linked to individual user accounts?

10. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?

11. Do you use your own DNS servers? (if not, which servers do you use?)

12. Do you have physical control over your VPN servers and network or are they outsourced and hosted by a third party (if so, which ones)? Where are your servers located?

Below is the list of responses we received from various VPN providers, in their own words. In some cases we asked for further clarification. VPN providers who keep logs for longer than 7 days were excluded, and others who simply failed to respond.

Please note that several VPN companies listed here do log to some extent. We therefore divided the responses into a category of providers who keep no logs (page 1/2) and one for who keep usage and/or session logs (page 3). The order of the VPNs within each category holds no value.

We are also working on a convenient overview page as well as dedicated review pages for all providers, with the option for users to rate theirs and add a custom review. These will be added in the near future.

VPNs That keep No Logs

Private Internet Access

piavpn1. We do not log, period. This includes, but is not limited to, any traffic data, DNS data or meta (session) data. Privacy IS our policy.

2. We choose to operate in the US in order to provide no logging service, as there is no mandatory data retention law in the US. Additionally, our beloved clients are given access to some of the strongest consumer protection laws, and thus, are able to purchase with confidence.

3. We do not monitor our users, period. That said, we have a proprietary system in place to help mitigate abuse.

4. We utilize SendGrid as an external mailing system and encourage users to create an anonymous e-mail when signing up depending on their adversarial risk level. Our support system is in-house as we utilize Kayako.

5. We have a proprietary system in place that allows us to comply in full with DMCA takedown notices without disrupting our users’ privacy. Because we do not log our users’ activities in order to protect and respect their privacy, we are unable to identify particular users that may be infringing the lawful copyrights of others.

6. We do not log and therefore are unable to provide information about any users of our service. We have not, to date, been served with a valid court order that has required us to provide something we do not have.

7. We do not have a warrant canary in place at this time as the concept of a warrant canary is, in fact, flawed at this time, or in other words, is “security theater.”

8. We do not attempt to filter, monitor, censor or interfere in our users’ activity in any way, shape or form. BitTorrent is, by definition, allowed.

9. We utilize a variety of payment systems including, but not limited to, PayPal, Stripe, Amazon, Google, Bitcoin, Stellar, CashU, Ripple, Most Major Store Bought Gift card, PIA Gift cards (available in retail stores for “cash”), and more. We utilize a hashing system to keep track of payments and credit them properly while ensuring the strongest levels of privacy for our users.

10. The most secure VPN connection and encryption algorithm that we would recommend to our users would be our suite of AES-256, RSA 4096 and SHA1 or 256. However, AES-128 should still be considered quite safe. For users of Private Internet Access specifically, we offer addon tools to help ensure our beloved clients’ privacies including:

– Kill Switch : Ensures that traffic is only routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic would simply not be routed.
– IPv6 Leak Protection : Protects clients from websites which may include IPv6 embeds which could leak IPv6 IP information.
– DNS Leak Protection : This is built in and ensures that DNS requests are made through the VPN on a safe, private no-log DNS daemon.
– Shared IP System : We mix clients’ traffic with many clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.

11. We are currently using our own DNS caching.

12. We utilize third party datacenters that are operated by trusted friends and, now, business partners who we have met and completed our due diligence on. Our servers are located in: USA, Canada, UK, Switzerland, Amsterdam, Sweden, Paris, Germany, Romania, Hong Kong, Israel, Australia and Japan. We have over 2,000 servers deployed at the time of writing with over 1,000 in manufacture/shipment at this time.

Private Internet Access website

TorGuard

1. No logs are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network because since day one we engineered every aspect of the operation from the ground up, permitting us full control over the smallest details. In addition to a strict no logging policy we run a shared IP configuration that provides an added layer of anonymity to all users. With hundreds of active sessions sharing a single IP address at any given time it becomes impossible to back trace usage.

2. At the time of this writing our headquarters currently operates from the United States. Due to the lack of data retention laws in the US, our legal team has determined this location to be in the best interest of privacy for the time being. Although TorGuard’s HQ is in the US, we take the commitment to user privacy seriously and will uphold this obligation at all costs, even if it means transferring services or relocating company assets.

3. Our network team uses a combination of open source monitoring apps and custom developed tools to mitigate any ongoing abuse of our services. This allows us to closely monitor server load and uptime so we can pinpoint and resolve potential problems quickly. If abuse reports are received from an upstream provider, we block them in real-time by employing various levels of firewall rules to large blocks of servers. Should these methods fail, our team is quick to recycle entire IP blocks and re-deploy new servers as a last resort.

4. For basic troubleshooting and customer service purposes we utilize Livechatinc for our chat support. TorGuard staff does make use of Google Apps for company email, however no identifying client information like passwords, or billing info is ever shared among either of these platforms. All clients retain full control over account changes in our secure member’s area without any information passing through an insecure channel.

5. Because we do not host any content it is not possible for us to remove anything from a server. In the event a DMCA notice is received it is immediately processed by our abuse team. Due to our shared network configuration we are unable to forward any requests to a single user. In order to satisfy legal requirements from bandwidth providers we may temporarily block infringing protocols, ports, or IPs.

6. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of a shared IP configuration and the fact that we do not hold any identifying logs. No, we remain unable to identify any active user from an external IP address and time stamp.

7. No, at this time we do not have a warrant canary.

8. Yes, TorGuard was designed with the BitTorrent enthusiast in mind. P2P is allowed on all servers, although for best performance we suggest using locations that are optimized for torrents. Users can find these servers clearly labeled in our VPN software.

9. We currently accept over 200 different payment options through all forms of credit card, PayPal, Bitcoin, altcoins (e.g. dogecoin, litecoin + more), Paysafecard, Alipay, CashU, Gift Cards, and many other methods. No usage can be linked back to a billing account due to the fact that we maintain zero logs across our network.

10. For best security we advise clients to use OpenVPN connections only and for encryption use AES256 with 2048bit RSA. Additionally, TorGuard VPN offers “Stealth” protection against DPI (Deep Packet Inspection) interference from a nosey ISP so you can access the open web freely even from behind the Great Firewall of China. These options are available on select locations and offer excellent security due to the cryptography techniques used to obfuscate traffic. Our VPN software uses OpenVPN exclusively and features built in DNS leak protection, an App Killswitch, and a connection Killswitch. We have also just released a built in WebRTC leak block feature for Windows Vista/7/8 users.

11. Yes, we offer private, no log DNS servers which can be obtained by contacting our support desk. By default we also use Google DNS and OpenDNS for performance reasons on select servers.

12. TorGuard currently maintains 1000+ servers in over 44 countries around the world and we continue to expand the network every month. We retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by our in house networking team via a single, secure key. We have servers in Australia, Belgium, Brazil, Canada, China, Costa Rica, Czech Republic, Denmark, Egypt, Finland, France, Germany, Greece, Hong Kong, Iceland, India, Indonesia, Ireland, Italy, Japan, Korea, Latvia, Luxembourg, Malaysia, Mexico, Netherlands, New Zealand, Norway, Panama, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, South Africa, Spain, Sweden, Switzerland, Tunisia, Turkey, United Kingdom, USA, and Vietnam.

TorGuard website

IPVanish

ipvanish1. IPVanish has a zero-log policy. We keep NO traffic logs on any customer, ever.

2. IPVanish is headquartered in the US and thus operates under US law.

3. IPVanish monitors CPU utilization, bandwidth and connection counts. When thresholds are passed, a server may be removed from rotation as to not affect other users.

4. IPVanish does not use any external support tools that hold user information. We do, however, operate an opt-in newsletter that is hosted at Constant Contact. Customers are in no way obligated to sign up for the newsletter.

5. IPVanish keeps no logs of any user’s activity and responds accordingly.

6. IPVanish, like every other company, follows the law in order to remain in business. Only US law applies.

7. No.

8. P2P is permitted. IPVanish does not block or throttle any ports, protocols, servers or any type of traffic whatsoever.

9. Bitcoin, PayPal and all major credit cards are accepted. Payments and service use are in no way linked. User authentication and billing info are also managed on completely different and independent platforms.

10. We recommend OpenVPN with 256 bit AES as the most secure VPN connection and encryption algorithm. IPVanish’s service and software also currently provide DNS leak prevention. We are developing a kill switch in upcoming releases of our software.

11. IPVanish does use its own DNS servers. Local DNS is handled by the server a user connects to.

12. IPVanish is one of the only tier-1 VPN networks, meaning we own and operate every aspect of our VPN platform, including physical control of our VPN servers. This gives IPVanish users security and speed advantages over other VPN services. IPVanish servers can be found in over 60 countries including the US, UK, Canada, Netherlands and Australia.

IPVanish website

IVPN

ivpn1. No, this is fundamental to the service we provide. It is also in our interests not to do so as it minimizes our own liability.

2. Gibraltar. In 2014 we decided to move the company from Malta to Gibraltar in light of the new 2015 EU VAT regulations which affect all VPN service providers based in the EU. The EU VAT regulations now require companies to collect two pieces of non-conflicting evidence about the location of a customer; this would be at a minimum the customer’s physical address and IP address.

3. We have built a number of bespoke systems over the last 5 years as we’ve encountered and addressed most types of abuse. At a high level we use Zabbix, an open-source monitoring tool that alerts us to incidents. As examples we have built an anti-spam rate-limiter based on iptables so we don’t have to block any email ports and forked a tool called PSAD which allows us to detect attacks originating from our own network in real time.

4. No. We made a strategic decision from the beginning that no company or customer data would ever be stored on 3rd party systems. Our customer support software, email, web analytics (Piwik), issue tracker, monitoring servers, code repo’s, configuration management servers etc. all run on our own dedicated servers that we setup, configure and manage.

5. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we never store the IP addresses of customers connected to our network nor are we legally required to do so.

6. That would depend on the information with which we were provided. If asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information, so we are unable to provide it. If they provide us with an email address and asked for the customer’s identity then we reply that we do not store any personal data, we only store a customer’s email address. If the company were served with a valid court order that did not breach the Data Protection Act 2004 we could only confirm that an email address was or was not associated with an active account at the time in question. We have never been served with a valid court order.

7. Yes absolutely, we’ve published a canary since August 2014.

8. Yes, we don’t block BitTorrent or any other protocol on any of our servers. We do kindly request that our customers use non-USA based exit servers for P2P. Any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.

9. We accept Bitcoin, Cash and Paypal. When using cash there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin (See part 7 of our advanced privacy guides). With Paypal we store the subscription ID in our system so we can associate incoming subscription payments. This information is deleted immediately when an account is terminated.

10. We provide RSA-4096 / AES-256 with OpenVPN, which we believe is more than secure enough for our customers’ needs. If you are the target of a state level adversary or other such well-funded body you should be far more concerned with increasing your general opsec than worrying about 2048 vs 4096 bit keys. The IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible (DNS, network failures, WebRTC STUN, IPv6 etc.). It also has an ‘always on’ mode that will be activated on boot before any process on the computer starts. This will ensure than no packets are ever able to leak outside of the VPN tunnel.

11. Yes. Once connected to the VPN all DNS requests are sent to our pool of internal recursive DNS servers. We do not use forwarding DNS servers that forward the requests to a public DNS server such as OpenDNS or Google.

12. We use dedicated servers leased from 3rd party data centers in each country where we have a presence. We employ software controls such as full disk encryption and no logging to ensure that if a server is ever seized it’s data is worthless. We also operate a multi-hop network so customers can choose an entry and exit server in different jurisdictions to make the adversaries job of correlating the traffic entering and exiting our network significantly more complicated. We have servers located in Switzerland, Germany, Iceland, Netherlands, Romania, France, Hong-Kong, USA, UK and Canada.

IVPN website

PrivateVPN

privatevpn1.We don’t keep ANY logs that allow us or a 3rd party to match an IP address and a time stamp to a user of our service. The only thing we log are e-mails and user names but it’s not possible to bind an activity on the Internet to a user on PrivateVPN.

2. We operate in Swedish jurisdiction.

3. If there’s abuse, we advise that service to block our IP in the first instance, and second, we can block traffic to the abused service.

4. No. We use a service from Provide Support (ToS) for live support. They do not hold any information about the chat session. From Provide support: Chat conversation transcripts are not stored on Provide Support chat servers. They remain on the chat server for the duration of the chat session, then optionally sent by email according to the user account settings, and then destroyed.

5. This depends on the country in which we’re receiving a DMCA takedown. For example, we’ve received a DMCA takedown for UK and Finland and our response was to close P2P traffic in those countries.

6. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there.

7. We’re working on a solution where we publish a statement that we haven’t received legal process. One we receive a legal process, this canary statement is removed.

8. Yes, we allow Torrent traffic.

9. PayPal, Payson, 2Chrckout and Bitcoin. Every payment has an order number, which is linked to a user. Otherwise we wouldn’t know who has made a payment. To be clear, you can’t link a payment to an IP address you get from us.

10. OpenVPN TUN with AES-256. On top is a 2048-bit DH key. For our Windows VPN client, we have a feature called “Connection guard”, which will close a selected program(s) if the connection drop. We have no tools for DNS leak but we’re working on a protection that detects the DNS leak and fixes this by changing to a secure DNS server.

11. We use a DNS from Censurfridns.

12. We have physical control over our servers and network in Sweden. All other servers and networks are hosted by ReTN, Kaia Global Networks, Leaseweb, FDCServers, Blix, Zen systems, Wholesale Internet, Creanova, UK2, Fastweb, Server.lu, Selectel, Amanah and Netrouting. We have servers located in: Sweden, United States, Switzerland, Great Britain, France, Denmark, Luxembourg, Finland, Norway, Romania, Russia, Germany, Netherlands, Canada and Ukraine.

PrivateVPN website

PRQ

1. No

2. Swedish

3. Our own.

4. No

5. We do not care about DMCA.

6. We only require a working e-mail address to be a customer, no other information is kept.

7. No.

8. As long as the usage doesn’t violate the ToS, we do not care.

9. None of the payment methods are linked to a user.

10. OpenVPN, customers have to monitor their service/usage.

11. Yes.

12. Everything is inhouse in Sweden.

PRQ website

Mullvad

mullvad1. No. This would make both us and our users more vulnerable so we certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users sharing addresses, both for IPv4 and IPv6.

2. Swedish.

3. We don’t monitor our users. In the rare cases of such egregious network abuse that we can’t help but notice (such as DoS attacks) we stop it using basic network tools.

4. We do use external providers and encourage people sending us email to use PGP encryption, which is the only effective way to keep email somewhat private. The decrypted content is only available to us.

5. There is no such Swedish law that is applicable to us.

6. We get requests from governments from time to time. They never get any information about our users. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.

7. Under current Swedish law there is no way for them to force us to secretly act against our users so a warrant canary would serve no purpose. Also, we would not continue to operate under such conditions anyway.

8. Yes.

9. Bitcoin (we were the first service to accept it), cash (in the mail), bank transfers, and PayPal / credit cards. Payments are tied to accounts but accounts are just random numbers with no personal information attached that users can create at will. With the anonymous payments possible with cash and Bitcoin it can be anonymous all the way.

10. OpenVPN (using the Mullvad client program). Regarding crypto, ideally we would recommend Ed25519 for certificates, Curve25519 for key exchange (ECDHE), and ChaCha20-Poly1305 for data streams but that suite isn’t supported by OpenVPN. We therefore recommend and by default use RSA-2048, D-H (DHE) and AES-256-CBC-SHA. We have a “kill switch,” DNS leak protection and IPv6 leak protection (and IPv6 tunnelling).

11. Yes, we use our own DNS servers.

12. We have a range of servers. From on one end servers lovingly assembled and configured by us with ambitious physical security in data centers owned and operated by people we trust personally and whose ideology we like. On the other end rented hardware in big data centers. Which to use depends on the threat model and performance requirements. Currently we have servers hosted by GleSYS Internet Services, 31173 Services and Leaseweb in Sweden, the Netherlands, USA and Germany.

Mullvad website

BolehVPN

bolehvpn1. No.

2. Malaysia. This may change in the near future and we will post an announcement when this is confirmed.

3. We do monitor general traffic patterns to see if there is any unusual activity that would warrant a further investigation.

4. We use ZenDesk and Zopim but are moving to use OSTicket which is open source. This should happen in the next 1-2 months.

5. Generally we work with the providers to resolve the issue and we have never given up any of our customer information. Generally we terminate our relationship with the provider if this is not acceptable. Our US servers under DMCA jurisdiction or UK (European equivalent) have P2P locked down.

6. This has not happened yet but we do not keep any user logs so there is not much that can be provided especially if the payment is via an anonymous channel. One of our founders is a lawyer so such requests will be examined on their validity and we will resist such requests if done without proper cause or legal backing.

7. Yes.

8. Yes it is allowed except on those marked Surfing-Streaming only which are restricted either due to the provider’s policies or limited bandwidth.

9. We use MolPay, PayPal, Coinbase, Coinpayments and direct deposits. On our system it is only marked with the Invoice ID, the account it’s for, the method of payment and whether it’s paid or not. We however of course do not have control of what is stored with the payment providers.

10. Our Cloak configurations implement 256 bit AES and a SHA-512 HMAC combined with a scrambling obfuscation layer. We do have a lock down/kill switch feature and DNS leak protection.

11. Yes we do use our own DNS servers.

12. Our VPN servers are hosted by third parties however for competitive reasons, we rather not mention our providers (not that it would be hard to find out with some digging). However none of these servers hold anything sensitive as they are authenticated purely using PKI infrastructure and as long as our users regularly update their configurations they should be fine. We do however have physical control over the servers that handle our customer’s information.

BolehVPN website

NordVPN

nordvpn1. Do we keep logs? What is that? Seriously, we have a strict no-logs policy over our customers. The only information we keep is customers’ e-mail addresses which are needed for our service registration (we keep the e-mail addresses until the customer closes the account).

2. NordVPN is based out of Panama.

3. No tools are used to monitor our customers in any case. We are only able to see the servers’ load, which helps us optimize our service and provide the best possible Internet speed to our users.

4. We use the third-party live support tool, but it is not linked to the customers’ accounts.

5. When we receive any type of legal notices, we cannot do anything more than to ignore them, simply because they have no legal bearing to us. Since we are based in Panama, all legal notices have to be dealt with according to Panamanian laws first. Luckily they are very friendly to Internet users.

6.If we receive a valid court order, firstly it would have to comply with the laws of Panama. In that case, the court settlement should happen in Panama first, however were this to happen, we would not be able to provide any information because we keep exactly nothing about our users.

7. We do not have a warrant canary or any other alert system, because as it was mentioned above, we operate under the laws of Panama and we guarantee that any information about our customers will not be distributed to any third party.

8. We do not restrict any BitTorrent or other file-sharing applications on most of our servers.

9. We accept payments via Bitcoin, Credit Card, PayPal, Banklink, Webmoney (Paysera). Bitcoin is the best payment option to maintain your anonymity as it has only the paid amount linked to the client. Users who purchase services via PayPal are linked with the usual information the seller can see about the buyer.

10. We have high anonymity solutions which we would like to recommend to everyone seeking real privacy. One of them is Double VPN. The traffic is routed through at least two hoops before it reaches the Internet. The connection is encrypted within two layers of cipher AES-256-CBC encryption. Another security solution – Tor over VPN. Firstly, the traffic is encrypted within NordVPN layer and later sent to the Tor network and exits to the Internet through one of the Tor exit relays. Both of these security solutions give a great encryption and anonymity combination. The benefit of using these solutions is that the chances of being tracked are eliminated. In addition, you are able to access .onion websites when connected to Tor over VPN. Furthermore, our regular servers have a strong encryption which is 2048bit SSL for OpenVPN protocol, AES-256bit for L2TP.

In addition to that, we have advanced security solutions, such as the “kill switch” and DNS leak protection which provide the maximum possible security level for our customers.

11. NordVPN has its own DNS servers, also our customers can use any DNS server they like.

12. Our servers are outsourced and hosted by a third parties. Currently our servers are in 26 countries: Australia, Austria, Brazil, Canada, Chile, France, Germany, Hong Kong, Iceland, Isle of Man, Israel, Italy, Liechtenstein, Lithuania, Netherlands, Panama, Poland, Romania, Russia, Singapore, South Africa, Spain, Sweden, Switzerland, United Kingdom and United States.

NordVPN website

TorrentPrivacy


1. We don’t keep any logs with IP addresses. The only information we save is an email. It’s impossible to connect specific activity to a user.

2. Our company is under Seychelles jurisdiction.

3. We do not monitor any user’s traffic or activity for any reason.

4. We use third-party solutions for user communications and emailing. Both are running on our servers.

5. We have small amount of abuses. Usually we receive them through email and all of them are bot generated. As we don’t keep any content we just answer that we don’t have anything or ignore them.

6. It has never happened for 8 years. We will ignore any requests from all jurisdiction except Seychelles. We have no information regarding our customers’ IP addresses and activity on the Internet.

7. No, we don’t bother our users.

8. Yes we support all kind of traffic on all servers.

9. We are using PayPal but payment as a fact proves nothing. Also we are going to expand our payment types for the crypto currencies in the nearest future.

10. We are recommending to use the most simple and secure way — OpenVPN with AES-256 encryption. To protect the torrent downloads we suggest to create a proxy SSH tunnel for your torrent client. In this case you are encrypting only your P2P connection when your browser or Skype uses your default connection. When using standard VPN in case of disconnection your data flows unencrypted. Implementing our SSH tunnel will save from such leaking cause traffic will be stopped.

11. Yes. We are using our own DNS servers.

12. We use third party datacenters for VPN and SSH data transmission in the USA, UK and Netherlands. The whole system is located on our own servers.

TorrentPrivacy website

Proxy.sh

proxy1. We do not keep any log at all.

2. Republic of Seychelles. And of course, every jurisdiction where each of our servers are, for their specific cases.

3. IPtables, TCPdump and Wireshark, for which their use is always informed at least 24 hours in advance via our Network Alerts and/or Transparency Report.

4. All our emails, panels and support are in-house. We host our own WHMCS instance for billing and support. We host server details, project management and financial management on Redmine that we of course self-run. The only third-party connections we have are Google Analytics and Google Translate on our public website (not panel), for obvious convenience gains, but the data they fetch can easily be hidden or faked. We may also sometimes route email through Mandrill but never with user information. We also have our OpenVPN client’s code hosted at Github, but this is because we are preparing to open source it.

5. We block the affected port and explain to upstream provider and/or complainant that we cannot identify the user who did the infringement, and we can therefore not pass the notice on. We also publish a transparency report and send a copy to the Chilling Effects Clearinghouse. If there are too many infringements, we may block all ports and strengthen firewall rules to satisfy upstream provider, but this may lead us to simply drop the server on short-term due to it becoming unusable.

6. We first post the court order to public and inform our users through our blog, much-followed Twitter account, transparency report and/or network alert. If we are unable to do so, we use our warrant canary. Then, we would explain to the court that we have no technical capacity to identify the user and we are ready to give access to competent and legitimate forensic experts. To this date, no valid court order has been received and acknowledged by us.

7. Yes, proxy.sh/canary.

8. We do not discriminate activity across our network. We are unable to decrypt traffic to differentiate file-sharing traffic from other activities, and this would be against our ethics anyway. The use of BitTorrent and similar is solely limited to the fact you can whether open/use the ports you wish for it on a selected server.

9. We support hundreds of payment methods, from PayPal to Bitcoin through SMS to Ukash and Paysafecard. We use third-party payment providers who handle and carry themselves the payments and the associated user information needed for them (e.g. a name with a credit card). We never have access to those. When we need to identify a payment for a user, we always need to ask him or her for references (to then ask the payment provider if the payment exists) because we do not originally have them. Last but not least, we also have an option to kill accounts and turn them into completely anonymous tokens with no panel or membership link at all, for the most paranoid customers (in the positive sense of the term).

10. We currently provide Serpent in non-stable & limited beta and it is the strongest encryption algorithm we have. We also openly provide to our experienced users ECDH curve secp384r1 and curve22519 through a 4096-bit Diffie-Hellman key. We definitely recommend such a setup but it requires software compiling skills (you need OpenVPN’s master branch). This setup also allows you to enjoy OpenVPN’s XOR capacity for scrambling traffic. We also provide integration of TOR’s obfsproxy for similar ends. Finally, for more neophyte users, we provide 4096-bit RSA as default standard. It is the strongest encryption that latest stable OpenVPN provides. Cipher and hash are the strongest available and respectively 256-bit CBC/ARS and SHA512. Our custom OpenVPN client of course provides a kill switch and DNS leak protection.

11. Yes, we provide our own OpenNIC DNS servers as well as DNSCrypt capacity.

12. We use a mix of collocation (physically-owned), dedicated and virtual private servers – also known as a private/public cloud combination. All our VPN servers are running from RAM and are disintegrated on shutdown or reboot. About two-third of them are in the public cloud (especially for most exotic locations). Our network spans across more than 40 countries.

Proxy.sh website

HideIPVPN

hideipvpn1. We have revised our policy. Currently we store no logs related to any IP address. There is no way for any third-party to match user IP to any specific activity in the internet.

2. We operate under US jurisdiction.

3. We would have to get into details of each individual point of our ToS. For basics like P2P and torrent traffic on servers that do not allow for such transmissions or connecting to more than three VPN servers at the same time by the same user account. But we do not monitor users’ traffic. Also, since our users use shared IP address of VPN server, there is no way any third party could connect any online activity to a user’s IP address.

4. We are using Google apps for incoming mail and our own mail server for outgoing mail.

5. Since no information is stored on any of our servers there is nothing that we can take down. We reply to the data center or copyright holder that we do not log our users’ traffic and we use shared IP-addresses, which make impossible to track who downloaded any data from the internet using our VPN.

6. We would reply that we do not have measures that would us allow to identify a specific user. It has not happened so far.

7. Currently not. We will consider if our customers would welcome such a feature. So far we have never been asked for such information.

8. This type of traffic is welcomed on our German (DE VPN) and Dutch (NL VPN) servers. It is not allowed on US, UK and Canada servers as stated in our ToS – reason for this is our agreements with data centers. We also have a specific VPN plan for torrents.

9. Currently HideIPVPN accepts the following methods: PayPal, Bitcoin, Credit & Debit cards, AliPay, Web Money, Yandex Money, Boleto Bancario, Qiwi.

10. We would say SoftEther VPN protocol looks very promising and secure. Users can currently use our VPN applications on Windows and OSX systems. Both versions have a “kill switch” feature in case connection drops. Also, our apps are able to re-establish VPN connection and once active restart closed applications.

Currently our software does not provide DNS leak protection. However a new version of VPN client is in the works and will be updated with such a feature. We can let you know once it is out. At this time we can say it will be very soon.

11. For VPN we use Google DNS servers, and for SmartDNS we use our own DNS servers.

12. We don’t have physical control of our VPN servers. Servers are outsourced in premium datacenters with high quality tier1 networks. Countries now include – US/UK/NL/DE/CA

HideIPVPN website

BTGuard

btguard1. We do not keep any logs whatsoever.

2. United States

3. Custom programs that analyze traffic on the fly and do not store logs.

4. No, all data is stored on servers we control.

5. We do not have any open incoming ports, so it’s not possible for us to “takedown” any broadcasting content.

6. We would take every step within the law to fight such an order and it has never happened.

7. No.

8. Yes, all types of traffic our allowed with our services.

9. We accept PayPal and Bitcoin. All payments are linked to users’ accounts because they have to be for disputes and refunds.

10. We recommend OpenVPN and 128-bit blowfish. We offer instructions for some third party VPN monitoring software.

11. We use our own DNS servers.

12. We have physical control over all our servers. Our servers we offer services with are located in the Netherlands, Canada, and Singapore. Our mail servers are located in Luxembourg.

BTGuard website

SlickVPN

slickvpn1. SlickVPN does not log any traffic nor session data of any kind.

2. We operate a complex business structure with multiple layers of Offshore Holding Companies, Subsidiary Holding Companies, and finally some Operating Companies to help protect our interests. We will not disclose the exact hierarchy of our corporate structures, but will say the main marketing entity for our business is based in the United States of America and an operational entity is based out of Nevis.

3. We do not monitor any customer’s activity in any way. We have chosen to disallow outgoing SMTP which helps mitigate SPAM issues.

4. No. We do utilize third party email systems to contact clients who opt in for our newsletters.

5. If a valid DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session, otherwise we are unable to act on any complaint as we have no way of tracking down the user. It is important to note that we ALMOST NEVER receive a VALID DMCA complaint while a user is still in an active session.

6. Our customer’s privacy is of top most importance to us. We are required to comply with all valid court orders. We would proceed with the court order with complete transparency, but we have no data to provide any court in any jurisdiction. We would not rule out relocating our businesses to a new jurisdiction if required.

7. Yes. We maintain a passive warrant canary, updated weekly, and are investigating a way to legally provide a passive warrant canary which will be customized on a “per user” basis, allowing each user to check their account status individually. It is important to note that the person(s) responsible for updating our warrant canary are located outside of any of the countries where our servers are located.

8. Yes, all traffic is allowed.

9. We accept PayPal, Credit Cards, Bitcoin, Cash, and Money Orders. We keep user authentication and billing information on independent platforms. One platform is operated out of the United States of America and the other platform is operated out of Nevis. We offer the ability for the customer to permanently delete their payment information from our servers at any point. All customer data is automatically removed from our records shortly after the customer ceases being a paying member.

10. We recommend using OpenVPN if at all possible (available for Windows, Apple, Linux, iOS, Android) and it uses the AES-256-CBC algorithm for encryption.

Our Windows and Mac client incorporates IP and DNS leak protection which prevents DNS leaks and provides better protection than ordinary ‘kill-switches’. Our IP leak protection proactively keeps your IP from leaking to the internet. This was one of the first features we discussed internally when we were developing our network, it is a necessity for any good VPN provider.

11. Yes.

12. We run a mix. We physically control some of our server locations where we have a heavier load. Other locations are hosted with third parties until we have enough traffic in that location to justify racking our own server setup. To ensure redundancy, we host with multiple providers in each location. We have server locations in over forty countries. In all cases, our network nodes load over our encrypted network stack and run from ramdisk. Anyone taking control of the server would have no usable data on the disk. We run an algorithm to randomly reboot each server on a regular basis so we can clear the ramdisk.

SlickVPN website

OctaneVPN

octane1. No. We cannot locate an individual user by IP address and timestamp. There are no logs written to disk on our gateways.

The gateway servers keep the currently authenticated customers in the server’s RAM so they can properly connect and route incoming traffic to those customers. Obviously, if a server is powered down or restarted, the contents of the RAM are lost. We keep gateway performance data such as CPU loading, I/O rates and maximum simultaneous connections so that we can manage and optimize our network.

2. We operate two independent companies with different ownership structures – a network operations company and a marketing company. The network operations company operates out of Nevis. The marketing company operates under US jurisdiction and manages the website, customer accounts and support. The US company has no access to network operations and the Nevis company has no customer account data.

3. We are not in the business of monitoring customer traffic in any way. Spam emails were our biggest issue and early on we decided to prevent outgoing SMTP. Otherwise, the only other abuse tools we use are related to counting the number of active connections authenticated on an account to control account sharing issues. We use a NAT firewall on incoming connections to our gateways to add an extra layer of security for our customers.

4. No. We do use a service to send generic emails.

5. Due to the structure of our network operations company, it is unusual that we would receive a notice. There should be no cause for the marketing company to receive a notice. If we receive a DMCA notice or its equivalent based on activity that occurred in the past, we respond that we do not host any content and have no logs.

If we receive a DMCA notice based on very recent activity and the customer’s current VPN session during which it was generated is still active on the gateway, we may put the account on hold temporarily and notify the customer. No customer data is used to respond to DMCA notices.

6. Our customers’ privacy is a top priority for us. We would proceed with a court order with complete transparency. A court order would likely be based on an issue traced to a gateway server IP address and would, therefore, be received by our our network operations company which is Nevis based. The validity of court orders from other countries would be difficult to enforce. The network company has no customer data.

Our marketing company is US based and would respond to an order issued by a court of competent jurisdiction. The marketing company does not have access to any data related to network operations or user activity, so there is not much information that a court order could reveal. This has not happened.

7. We are discussing internally and reviewing existing law related to how gag orders are issued to determine the best way to offer this measure of customer confidence.

8. Yes. We operate with network neutrality except for outgoing SMTP.

9. Bitcoin and other cryptocurriences such as Darkcoin, Credit/Debit Card, and PayPal. If complete payment anonymity is desired, we suggest using Bitcoin, DarkCoin, or a gift/disposable credit card. Methods such as PayPal or Credit/Debit card are connected to an account token so that future renewal payments can be properly processed and credited. We allow customers to edit their account information. With our US/Nevis operating structure, customer payment systems information is separate from network operations.

10. We recommend using the AES-256-CBC cipher with OpenVPN, which is used with our client. IPSec is available for native Apple device support and PPTP is offered for other legacy devices, but OpenVPN offers the best security and speed and is our recommended protocol

We provide both DNS and IP leak protection in our Windows and Mac OctaneVPN client. Our OpenVPN based client’s IP leak protection works by removing all routes except the VPN route from the device when the client has an active VPN connection. This a better option than a ‘kill switch’ because our client ensures the VPN is active before it allows any data to leave the device, whereas a ‘kill switch’ typically monitors the connection periodically, and, if it detects a drop in the VPN connection, reacts.

11. Yes and we physically control them. You can choose others if you prefer.

12. In our more active gateway locations, we colocate. In locations with lower utilization, we normally host with third parties until volume at that location justifies a physical investment there. The hosted locations may have different providers based on geography. We operate gateways in over 44 countries and 90 cities. Upon booting, all our gateways load over our encrypted network from a master node and operate from encrypted ramdisk. If an entity took physical control of a gateway server, the ramdisk is encrypted and would vanish upon powering down.

OctaneVPN website

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and anonymous VPN services.

‘Game of Thrones’ Most Pirated TV-Show of 2014

‘Game of Thrones’ Most Pirated TV-Show of 2014

Posted: 26 Dec 2014 01:07 AM PST

thronesGame of Thrones has taken the crown of most downloaded TV-show for the third consecutive year.

With more than 8 million downloads via BitTorrent, the 2014 season finale is way ahead of the competition.

Breaking Bad and The Walking Dead complete the top three with an estimated 4.2 and 3.6 million downloads respectively.

Game of Thrones’ top listing doesn’t come as much of a surprise. Earlier this year it broke an all-time piracy record when more than 254,114 peers shared the same torrent file simultaneously.

Overall there is no sign that TV-show piracy is declining, on the contrary. The download numbers for the most popular shows continues to rise, sometimes exceeding the number of traditional viewers in the US.

Below we have compiled a list of the most downloaded TV-shows worldwide (single episode) for 2014, together with the viewer average in the US. The data is estimated by TorrentFreak based on several sources, including download statistics reported by public BitTorrent trackers.

Online streaming and downloads for file-hosting services are not included since there are no public sources to draw data from. Total piracy numbers will therefore be significantly higher.

Most downloaded TV-shows on BitTorrent, 2014
rank show est. downloads est. US TV viewers
torrentfreak.com
1 Game of Thrones 8,100,000 7,160,000
2 The Walking Dead 4,800,000 17,290,000
3 The Big Bang Theory 3,900,000 18,240,000
4 How I Met Your Mother 3,500,000 13,130,000
5 Gotham 3,200,000 11,810,000
6 Arrow 2,900,000 3,920,000
7 Grey’s Anatomy 2,800,000 9,810,000
8 Vikings 2,700,000 3,560,000
9 Suits 2,500,000 2,800,000
10 South Park 2,400,000 2,400,000

Source: TorrentFreak, for the latest info on copyright, file-sharing and anonymous VPN services.

What Hard Drive Should I Buy?

How long do hard drives last for?
Published by on September 14, 2016 in Cloud and Online Backup

hard-drive-mechanism

Hard drive failure is unpredictable, so answering the question of how long hard drives last will inherently comes with a lot of caveats.

Short answer: That being said, if you just want a quick rule of thumb for how long you can expect the hard drive in your laptop should last, we’d say you should be prepared for disk failure after three years of use.

Long answer: A handful of studies on the lifespan of hard drives might give you some clearer indication, but they still aren’t very helpful. Many of the hard drives tested do not fail at all. These drives are also kept in controlled environments and don’t undergo the same conditions as, say, your laptop drive.

Factor in the following questions:

  • What brand is the hard drive?
  • What do you use it for? Running applications, viewing media, or storage?
  • How often do you use your computer?
  • Is it frequently shaken, vibrated, or bumped?
  • How hot does your computer get?

These factors and many more can affect the lifespan of a hard drive. All of the discussion below, unless otherwise noted, refers to standard magnetic disk drives, not solid state drives or hybrid drives.

Which hard drive brands last the longest?

Short answer: HGST (rebranded name for Hitachi) drives generally last longer than Seagate and Western Digital. We don’t have enough definitive data on Samsung or Toshiba to make a conclusion about them.

hard-drive-failure-rate-by-manufacturer

Long answer: In 2014, cloud backup company Backblaze started posting statistics on the failure rate of over 27,000 hard drives and their respective brands. In short: Hitachi’s failed the least, followed by Western Digital. Seagate had the highest failure rate by far, with 13 percent of Backblaze’s 1.5TB models failing over the course of a year.

When new results were published one year later, however, Western Digital surpassed Seagate and failed the most of the brands tested. Toshiba results were included in these results despite the relatively small number of drives tested. Toshiba scored roughly the same as Seagate. HGST was still the most reliable overall.

In 2016, the latest report, Seagate returned to its position as the hard drive brand with the highest failure rate, followed by Western Digital. Toshiba beat both of them, but Hitachi held firm at number one with the lowest annual failure rates.

Note that failure rate varies between models as well as brands. The 1.5TB models from Seagate fail far more often than the larger models from the same brand tested by Backblaze, for instance.

Why does Backblaze measure the failure rate per year instead of the age of the hard drives when they fail? Because most of the drives they tested didn’t fail at all. Four in five hard drives were still going strong by the end of each three-year test.

What causes hard drive failure?

Short answer: Factory defects and vibration

bathtub-curve-2

Long answer: A useful way to visualize the cause of failure rates in hard drives is with something called the Bathtub Curve.

The Bathtub curb tells us hard drives have a high rate of failure in their first few days, weeks, and months of use. This is usually the result of factory defects. A hard drive might be dead on arrival, for instance. Some call this the hard drive “infant mortality” rate.

If a hard drive has no factory defects, it will typically endure over the next two or three years without issue, which means the failure rate falls. By year four and five, the failure rate is well on its way back up again. These failures are due to general wear and tear, but pinpointing a specific cause has proven troublesome for researchers.

Conventional wisdom would have you believe hard drives that get hot will generally fail faster than those that don’t. Some studies conclude as much, but the largest study on the subject matter to date performed by Google suggests otherwise. You might also assume that hard drives which are used more fail quicker than those used less. Not so, says Google:

“Contrary to previously reported results, we found very little correlation between failure rates and either elevated temperature or activity levels.”

Google measured activity (also referred to as “utilization”) levels by analyzing the total time spent reading or writing data on the drive over a period of time. Drives that were utilized more failed significantly more in the first three months, but then failure rates dropped off in the subsequent months and years. The failure rates remain even and even less than the less-used drives until year five, when drives with higher utilization levels start failing more often again. Google attributes this to what it calls the “survival of the fittest theory,” in which the causes of failure that are associated with higher utilization are more prominent early and late in a drive’s lifetime. In short, utilization might not be causing hard drive failure, it just makes the actual causes of failure surface more quickly.

bathtub-curve-2

In Backblaze’s report, the company notes that some drives were incompatible due to what they surmised was vibration. While the impact of heat and activity is still inconclusive, vibration, bumps, drops, and shakes can definitely shorten the life of a hard drive.

Can I trust the MTBF?

Short answer: No

A hard drive’s MTBF, or mean time between failures, is an estimation of how long a hard drive will last. Some hard drive manufacturers advertise this figure as a way of showing how reliable a specific drive model is, which usually ranges between 1 million and 1.5 million hours.

A study by Carnegie Mellon University shows that MTBFs are greatly exaggerated. They suggest “a nominal annual failure rate of at most 0.88 percent.”

“We find that in the field, annual disk replacement rates typically exceed 1%, with 2-4% common and up to 13% observed on some systems. This suggests that field replacement is a fairly different process than one might predict based on datasheet MTTF.”

That’s more than double, and in some cases more than tenfold, than what a manufacturer states in the MTTF.

What to do if your hard drive fails

Short answer: Back it up before it fails.

Long answer: Dealing with hard drive failure requires preventative measures. Trying to recover data off of a hard drive after it has failed is a difficult and expensive endeavor. The best practice is to regularly back up your drives to a separate location, either a physical drive or the cloud.

For most of your media files–documents, pictures, videos, downloads, etc–a standard cloud backup service like IDrive or Crashplan should get the job done painlessly. Cloud backup ensures that your files will always be available whenever you need them. While an external hard drive could just as easily fail as the hard drive you backed up onto it, cloud backup services keep copies of your copies in a variety of locations, so you needn’t worry about failure or theft. Most cloud backup providers use apps that will automatically back up your files as you add, edit, and delete them, which makes the process all the easier.

If you want to back up your operating system, settings, and programs, things get a bit more complicated. We sometimes call these “bare bones” or “full system” backups. They come in two varieties: images and clones.

Cloning creates an virtually identical hard drive to the original, complete with files, applications, operating system, settings, boot record, allocation table–everything. If your hard drive fails, just swap in the cloned drive and you’ll be back up and running as if nothing ever happened, albeit back in time to the point when you created the clone.

Creating an image is similar, but everything is saved to a large compressed file that can be saved to an external hard drive. It can be stored on a normal storage partition instead ofinstalled and it takes up a lot less space. The downside is that restoration is a bit more complicated. You’ll need the boot disc that comes with your operating system–either a CD or a thumb drive, and run the emergency restoration program to get things working again.

hard drive mechanism” by Magnus Hagdorn licensed under CC BY-SA 2.0

 


 

blog-which-drive-to-buy

My last two blog posts were about expected drive lifetimes and drive reliability. These posts were an outgrowth of the careful work that we’ve done at Backblaze to find the most cost-effective disk drives. Running a truly unlimited online backup service for only $5 per month means our cloud storage needs to be very efficient and we need to quickly figure out which drives work.

Because Backblaze has a history of openness, many readers expected more details in my previous posts. They asked what drive models work best and which last the longest. Given our experience with over 25,000 drives, they asked which ones are good enough that we would buy them again. In this post, I’ll answer those questions.

Drive Population

At the end of 2013, we had 27,134 consumer-grade drives spinning in Backblaze Storage Pods. The breakdown by brand looks like this:

Hard Drives by Manufacturer Used by Backblaze
Brand Number
of Drives
Terabytes Average
Age in Years
Seagate 12,765 39,576 1.4
Hitachi 12,956 36,078 2.0
Western Digital 2,838 2,581 2.5
Toshiba 58 174 0.7
Samsung 18 18 3.7

As you can see, they are mostly Seagate and Hitachi drives, with a good number of Western Digital thrown in. We don’t have enough Toshiba or Samsung drives for good statistical results.

Why do we have the drives we have? Basically, we buy the least expensive drives that will work. When a new drive comes on the market that looks like it would work, and the price is good, we test a pod full and see how they perform. The new drives go through initial setup tests, a stress test, and then a couple weeks in production. (A couple of weeks is enough to fill the pod with data.) If things still look good, that drive goes on the buy list. When the price is right, we buy it.

We are willing to spend a little bit more on drives that are reliable, because it costs money to replace a drive. We are not willing to spend a lot more, though.

Excluded Drives

Some drives just don’t work in the Backblaze environment. We have not included them in this study. It wouldn’t be fair to call a drive “bad” if it’s just not suited for the environment it’s put into.

We have some of these drives running in storage pods, but are in the process of replacing them because they aren’t reliable enough. When one drive goes bad, it takes a lot of work to get the RAID back on-line if the whole RAID is made up of unreliable drives. It’s just not worth the trouble.

The drives that just don’t work in our environment are Western Digital Green 3TB drives and Seagate LP (low power) 2TB drives. Both of these drives start accumulating errors as soon as they are put into production. We think this is related to vibration. The drives do somewhat better in the new low-vibration Backblaze Storage Pod, but still not well enough.

These drives are designed to be energy-efficient, and spin down aggressively when not in use. In the Backblaze environment, they spin down frequently, and then spin right back up. We think that this causes a lot of wear on the drive.

Failure Rates

We measure drive reliability by looking at the annual failure rate, which is the average number of failures you can expect running one drive for a year. A failure is when we have to replace a drive in a pod.

blog-fail-drives-manufacture

This chart has some more details that don’t show up in the pretty chart, including the number of drives of each model that we have, and how old the drives are:

Number of Hard Drives by Model at Backblaze
Model Size Number
of Drives
Average
Age in
Years
Annual
Failure
Rate
Seagate Desktop HDD.15
(ST4000DM000)
4.0TB 5199 0.3 3.8%
Hitachi GST Deskstar 7K2000
(HDS722020ALA330)
2.0TB 4716 2.9 1.1%
Hitachi GST Deskstar 5K3000
(HDS5C3030ALA630)
3.0TB 4592 1.7 0.9%
Seagate Barracuda
(ST3000DM001)
3.0TB 4252 1.4 9.8%
Hitachi Deskstar 5K4000
(HDS5C4040ALE630)
4.0TB 2587 0.8 1.5%
Seagate Barracuda LP
(ST31500541AS)
1.5TB 1929 3.8 9.9%
Hitachi Deskstar 7K3000
(HDS723030ALA640)
3.0TB 1027 2.1 0.9%
Seagate Barracuda 7200
(ST31500341AS)
1.5TB 539 3.8 25.4%
Western Digital Green
(WD10EADS)
1.0TB 474 4.4 3.6%
Western Digital Red
(WD30EFRX)
3.0TB 346 0.5 3.2%
Seagate Barracuda XT
(ST33000651AS)
3.0TB 293 2.0 7.3%
Seagate Barracuda LP
(ST32000542AS)
2.0TB 288 2.0 7.2%
Seagate Barracuda XT
(ST4000DX000)
4.0TB 179 0.7 n/a
Western Digital Green
(WD10EACS)
1.0TB 84 5.0 n/a
Seagate Barracuda Green
(ST1500DL003)
1.5TB 51 0.8 120.0%

The following sections focus on different aspects of these results.

1.5TB Seagate Drives

The Backblaze team has been happy with Seagate Barracuda LP 1.5TB drives. We’ve been running them for a long time — their average age is pushing 4 years. Their overall failure rate isn’t great, but it’s not terrible either.

The non-LP 7200 RPM drives have been consistently unreliable. Their failure rate is high, especially as they’re getting older.

1.5 TB Seagate Drives Used by Backblaze
Model Size Number
of Drives
Average
Age in
Years
Annual
Failure
Rate
Seagate Barracuda LP
(ST31500541AS)
1.5TB 1929 3.8 9.9%
Seagate Barracuda 7200
(ST31500341AS)
1.5TB 539 3.8 25.4%
Seagate Barracuda Green
(ST1500DL003)
1.5TB 51 0.8 120.0%

The Seagate Barracuda Green 1.5TB drive, though, has not been doing well. We got them from Seagate as warranty replacements for the older drives, and these new drives are dropping like flies. Their average age shows 0.8 years, but since these are warranty replacements, we believe that they are refurbished drives that were returned by other customers and erased, so they already had some usage when we got them.

Bigger Seagate Drives

The bigger Seagate drives have continued the tradition of the 1.5Tb drives: they’re solid workhorses, but there is a constant attrition as they wear out.

2.0 to 4.0 TB Seagate Drives Used by Backblaze
Model Size Number
of Drives
Average
Age in
Years
Annual
Failure
Rate
Seagate Desktop HDD.15
(ST4000DM000)
4.0TB 5199 0.3 3.8%
Seagate Barracuda
(ST3000DM001)
3.0TB 4252 1.4 9.8%
Seagate Barracuda XT
(ST33000651AS)
3.0TB 293 2.0 7.3%
Seagate Barracuda LP
(ST32000542AS)
2.0TB 288 2.0 7.2%
Seagate Barracuda XT
(ST4000DX000)
4.0TB 179 0.7 n/a

The good pricing on Seagate drives along with the consistent, but not great, performance is why we have a lot of them.

Hitachi Drives

If the price were right, we would be buying nothing but Hitachi drives. They have been rock solid, and have had a remarkably low failure rate.

Hitachi Drives Used by Backblaze
Model Size Number
of Drives
Average
Age in
Years
Annual
Failure
Rate
Hitachi GST Deskstar 7K2000
(HDS722020ALA330)
2.0TB 4716 2.9 1.1%
Hitachi GST Deskstar 5K3000
(HDS5C3030ALA630)
3.0TB 4592 1.7 0.9%
Hitachi Deskstar 5K4000
(HDS5C4040ALE630)
4.0TB 2587 0.8 1.5%
Hitachi Deskstar 7K3000
(HDS723030ALA640)
3.0TB 1027 2.1 0.9%

Western Digital Drives

Back at the beginning of Backblaze, we bought Western Digital 1.0TB drives, and that was a really good choice. Even after over 4 years of use, the ones we still have are going strong.

We wish we had more of the Western Digital Red 3TB drives (WD30EFRX). They’ve also been really good, but they came after we already had a bunch of the Seagate 3TB drives, and when they came out their price was higher.

Western Digital Drives Used by Backblaze
Model Size Number
of Drives
Average
Age in
Years
Annual
Failure
Rate
Western Digital Green
(WD10EADS)
1.0TB 474 4.4 3.6%
Western Digital Red
(WD30EFRX)
3.0TB 346 0.5 3.2%
Western Digital Green
(WD10EACS)
1.0TB 84 5.0 n/a

What About Drives That Don’t Fail Completely?

Another issue when running a big data center is how much personal attention each drive needs. When a drive has a problem, but doesn’t fail completely, it still creates work. Sometimes automated recovery can fix this, but sometimes a RAID array needs that personal touch to get it running again.

Each storage pod runs a number of RAID arrays. Each array stores data reliably by spreading data across many drives. If one drive fails, the data can still be obtained from the others. Sometimes, a drive may “pop out” of a RAID array but still seem good, so after checking that its data is intact and it’s working, it gets put back in the RAID to continue operation. Other times a drive may stop responding completely and look like it’s gone, but it can be reset and continue running.

Measuring the time spent in a “trouble” state like this is a measure of how much work a drive creates. Once again, Hitachi wins. Hitachi drives get “four nines” of untroubled operation time, while the other brands just get “two nines”.

Untroubled Operation of Drives by Manufacturer used at Backblaze
Brand Active Trouble Number of Drives
Seagate 99.72 0.28% 12459
Western Digital 99.83 0.17% 933
Hitachi 99.99 0.01% 12956

Drive Lifetime by Brand

The chart below shows the cumulative survival rate for each brand. Month by month, how many of the drives are still alive?

blog-36-month-drive-survival-rate

Hitachi does really well. There is an initial die-off of Western Digital drives, and then they are nice and stable. The Seagate drives start strong, but die off at a consistently higher rate, with a burst of deaths near the 20-month mark.

Having said that, you’ll notice that even after 3 years, by far most of the drives are still operating.

What Drives Is Backblaze Buying Now?

We are focusing on 4TB drives for new pods. For these, our current favorite is the Seagate Desktop HDD.15 (ST4000DM000). We’ll have to keep an eye on them, though. Historically, Seagate drives have performed well at first, and then had higher failure rates later.

Our other favorite is the Western Digital 3TB Red (WD30EFRX).

We still have to buy smaller drives as replacements for older pods where drives fail. The drives we absolutely won’t buy are Western Digital 3TB Green drives and Seagate 2TB LP drives.

A year and a half ago, Western Digital acquired the Hitachi disk drive business. Will Hitachi drives continue their excellent performance? Will Western Digital bring some of the Hitachi reliability into their consumer-grade drives?


Correction: Hitachi’s 2.5″ hard drive business went to Western Digital, while the 3.5″ hard drive business went to Toshiba.

At Backblaze, we will continue to monitor and share the performance of a wide variety of disk drive models. What has your experience been?

Streaming Site Operators Face Jail & $1.7m Forfeiture

Streaming Site Operators Face Jail & $1.7m Forfeiture

Posted: 26 Jun 2016 01:23 AM PDT

Founded half a decade ago, Swefilmer was Sweden’s most popular unauthorized streaming site.

Offering all the latest movies and TV shows, Swefilmer (and another, Dreamfilm) captured up to 25% of all web TV viewing in Sweden according to a 2015 report.

Last summer, however, the noose began to tighten. In July local man Ola Johansson revealed that he’d been raided by the police under suspicion of being involved in running the site.

Meanwhile, police continued the hunt for the site’s primary operator and in March 2016 it was revealed that a Turkish national had been arrested in Germany on a secret European arrest warrant. The 25-year-old is said to be the person who received donations from users and set up Swefilmer’s deals with advertisers.

Both men have now been prosecuted by Swedish authorities. In an indictment filed in the Varberg District Court, both men are accused of copyright infringement connected to the unlawful distribution of more than 1,400 movies.

Additionally, the 25-year-old stands accused of aggravated money laundering offenses related to his handling of Swefilmer’s finances.

The prosecution says that the site generated more than $1.7m between November 2013 and June 2015. More than $1.5m of that amount came from advertising with user donations contributing around $110,000. The state wants the 25-year-old to forfeit the full amount. A $77,000 car and properties worth $233,000 have already been seized.

While both could be sent to prison, the 22-year-old faces less serious charges and will be expected to pay back around $3,600.

The trial, which is expected to go ahead in just over a week, will be the most significant case against a streaming portal in Sweden to date.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.

RIAA-Approved File-Sharing Service Hacked, 51m User Details Leaked

Around 51 million user records of a file-sharing service that was first sued and then approved by the RIAA has been leaked online. The iMesh service was part of a shady group of former P2P services operating under the Bearshare, Lphant and Shareaza brands, despite the latter being obtained in the most questionable of circumstances.

imesh-logoBack in 2003, when file-sharing technology was still in its relative infancy, several platforms had aspirations of becoming the next Napster. One of those was Israel-based iMesh, which at four years old was practically a veteran already.

But in September that year an increasingly irritable RIAA said enough is enough and sued iMesh in the United States. At the time, both parties were defiant. The RIAA insisted that iMesh should be shut down, while iMesh’s owners claimed they’d done nothing wrong.

However, in the summer of 2014 an unusual peace was reached, with iMesh paying the RIAA more than $4m in compensation and continuing business as normal. As strange as it may seem, the RIAA appeared to have licensed people they’d already branded as pirates.

There were changes though. iMesh was forced to release a new client that carried filtering technology provided by Audible Magic, with the aim of stopping infringement on the network. From the release of iMesh v6 in October 2005, it’s almost certain that the RIAA had access to vast amounts of iMesh user data.

Now, however, some of that data has landed in the public arena. Following the sudden disappearance of iMesh in recent weeks, LeakedSource is reporting that it has obtained an iMesh database containing 51,310,759 user records.

“Each record contains an email address, a username, one password, an IP address, a Country location and a join date,” the site says.

The breach, which appears to have taken place in September 2013, lists users from 55 countries participating on iMesh. With 13.7m users, the United States was by far the most popular country.

imesh-1
Sadly, as is often the case when such breaches are made public, the password situation on iMesh was pretty bleak.

“Passwords were stored in multiple MD5 rounds with salting. ‘Salting’ makes decrypting passwords exponentially harder when dealing with large numbers such as these, and is better than what LinkedIn and MySpace did but MD5 itself is not nearly hard enough for modern computing. The methods iMesh used, albeit 3 years ago were still insufficient for the times,” LeakedSource notes.

Only making matters worse are the passwords deployed by users. Close to a million of iMesh’s users went for ‘123456’, with more than 330,000 going for the slightly longer variant ‘123456789’.

imesh-pass
For what would turn into a largely crippled file-sharing network, iMesh was still attracting plenty of new users. The leak shows that in 2006, just after the release of the RIAA-approved client, iMesh had 4.8 million people sign up. During 2011, 9.4 million jumped on board. The last data available shows 2.5 million new members in 2013.

Now, however, iMesh is suddenly no more. After more than a decade of working with the RIAA (and even the MPAA who had a deal to limit movie sharing on the service), several weeks ago iMesh suddenly shut down. May 5 is the last date an active page is available on Wayback Machine, boasting access to 15 million licensed songs and videos.

Unsurprisingly, the iMesh shutdown is just one of many. At the same time several other platforms closed down including Bearshare, Shareaza and Lphant. Each show an almost identical shutdown message on their homepages since underneath they were all one and the same software operated by the same company.

But while it is customary for file-sharing fans to mourn the loss of file-sharing services, few with knowledge of how this network operated will be disappointed that these have gone, and not just because of the RIAA deal either.

The original Shareaza and Lphant projects were both subjected to hostile action by Discordia, the owners of iMesh, in circumstances that remain murky to this day. The original and safe version of Shareaza continues on Sourceforge, somewhat against the odds.

 

The Division’s player count has dropped by a gigantic 93% since launch

Ubisoft launched The Division with a huge marketing campaign, and after a few delays and issues with the launch, it was a mostly positive deal for the company with the game making $330 million in its first 5 days of release. Well, The Division’s player count has dropped by a huge 93%, with all but 7% of its player base left – Ubisoft really is in the Dark Zone with The Division and its longevity.

divisions-player-count-dropped-gigantic-93-launch_01

According to Githyp, The Division’s player count has dropped dramatically on Steam since it launched, with its peak of 2.1 million players. Right now, it’s sitting at around 143,000 players, with that being a drop of 93%. It was only 48 hours ago that Ubisoft enabled The Division’s ”Clear Sky Challenge” mode, and then before that we had the release of Clear Sky.

There are various issues with hacking and exploits, but with only a few hundred thousand people playing – mixed with the reality of 93% of the player base all but abandoning The Division, is the game on life support, and what’s Ubisoft’s plan for E3 2016?

Top 10 Most Pirated Movies of The Week – 04/18/16

Top 10 Most Pirated Movies of The Week – 04/18/16

Posted: 17 Apr 2016 11:59 PM PDT

This week we have two newcomers in our chart.

Deadpool is the most downloaded movie again.

The data for our weekly download chart is estimated by TorrentFreak, and is for informational and educational reference only. All the movies in the list are BD/DVDrips unless stated otherwise.

RSS feed for the weekly movie download chart.

Ranking (last week) Movie IMDb Rating / Trailer
torrentfreak.com
1 (4) Deadpool (HDrip subbed) 8.6 / trailer
2 (…) Ride Along 2 5.9 / trailer
3 (4) The Revenant 8.2 / trailer
4 (2) Star Wars: The Force Awakens 8.3 / trailer
5 (…) The Witch (Webrip) 7.2 / trailer
6 (8) Mr. Right (Web-DL) 6.4 / trailer
7 (5) Batman v Superman: Dawn of Justice (Cam/TS) 7.5 / trailer
8 (9) The Jungle Book (Hindi Cam) 8.3 / trailer
9 (3) Hail Caesar! (Webrip) 6.8 / trailer
10 (6) Kung Fu Panda 3 (Web-DL) 8.0 / trailer

AnyDVD is Back But Don’t Call Us Pirates, Developer Says

AnyDVD is Back But Don’t Call Us Pirates, Developer Says

Posted: 02 Mar 2016 09:09 AM PST

After coming under pressure from decryption licensing outfit AACS LA, last week DVD and Blu-ray copy-protection circumvention company SlySoft shutdown.

It still hasn’t been made clear if studios including Warner Bros, Disney and technology partners Microsoft and Intel were behind the closure, but for now that’s the working assumption. Having SlySoft flagship product AnyDVD off the market would’ve been a huge feather in their collective caps.

But shutdowns of companies like SlySoft often prove troublesome and earlier this week the first signs of cracks in the closure began to show. With talk of a return under a new banner a hot topic, former developers openly discussed bringing AnyDVD and other products back online.

Making things more interesting was the revelation that SlySoft was not entirely based in Antigua but actually a decentralized operation with developers scattered in countries around the world. Developers who, it transpired, still had access to key SlySoft infrastructure and the will to reanimate the project. In the end, it didn’t take long.

Still sporting a familiar ‘fox’ logo, yesterday a reborn ‘RedFox’ rose from the ashes of SlySoft. Now hailing from Belize with at least some infrastructure in Latvia, the RedFox team delivered their first release – an update to AnyDVD, version 7.6.9.1.

“AnyDVD reborn! SlySoft is dead, long live RedFox!” declared the changelog.

“This is an intermediate release, so old customers can continue to use their existing AnyDVD license to watch their discs. This version can access the new RedFox Online Protection Database,” the group added.

Perhaps of most interest are the new features. In addition to some minor fixes and improvements, AnyDVD also supports new discs, a big first step for a product that just a week ago looked destined for the archives.

The release will only work if users already own a valid AnyDVD license, which suggests that RedFox have access to the old company’s licensing systems, another important step for keeping the business model moving forward. Additionally, old SlySoft products have also returned, including CloneBD and CloneDVD.

But while would-be pirates might find cause for celebration, not everyone in the new RedFox team welcomes being so closely associated with the practice. A developer identifying himself as ‘Peer’ says that comments made by release groups in an article published on TF at the weekend left him feeling “depressed”.

“Pirates were never the intended audience. If SlySoft could have shaken them off, they would have. In fact – some people seem to think, that without piracy, SlySoft wouldn’t have existed,” Peer explains.

For those that primarily used SlySoft’s products for piracy (and the MPAA and AACS LA seem to think that’s a whole bunch of them) the assumption seems reasonable. However, Peer sees things somewhat differently.

“Pirates only made a very small percentage of the AnyDVD userbase. And – given that they are pirates, it’s a valid question whether they were even paying customers,” he says.

“AnyDVD was created out of the frustration of a few people, who got fed up with the unplayability (yes! that word is fitting!) of DVDs and later on Blu-ray discs. So, of course, SlySoft could have easily done without the pirates – and had they, SlySoft might even still exist.”

While one can see Peer’s point (and presuming for a moment we can easily interchange the terms ‘piracy’ and ‘copyright infringement’), the fact that AnyDVD drilled a huge hole through the encryption efforts of AACS LA makes it a seriously infringing piece of software, if of course the trade groups and courts are to be believed.

So, one has to conclude that even without piracy SlySoft would’ve been in trouble, a point not lost on the developer.

“It’s not that the AACS-LA wouldn’t have gone to the same lengths trying – don’t mistake them to be fighting piracy, their goal is a more immediate one, which is to justify their existence,” Peer says.

“They have this huge money-making machine, collect fees for every [blu ray disc] ever being sold without having to really, well, do much (god, I wish I were the AACS-LA), while promising to protect the discs in return, which effectively doesn’t work – so they have no choice but to fight back.”

That fight includes taking down products like AnyDVD and DVDFab, both of which are closely connected (whether the developers like it or not) with DRM circumvention and ultimately piracy.

“You can’t deny that [piracy] is hurting the movie industry. And you can’t deny that we were involuntarily helping piracy. Just like the glass cutter involuntarily helps burglary,” Peer says.

“So, sorry MPAA, AACS and all you people with the fancy acronyms – we can’t help you with the piracy, but since no one is helping us with [playing and backing up] movies, we’re picking up things ourselves.”

Nevertheless, the intentions of the RedFox team will have little bearing on how they are perceived by the MPAA and AACS LA. They will be seen as outlaws with no respect for the laws that the industry groups worked long and hard to have put in place. On that basis alone, this battle is far from over.

Source: TF, for the latest info on copyright, file-sharing, torrent sites and ANONYMOUS VPN services.