You need to determine who your adversary is (at least the category of adversary they're in).
If your adversary is The NSA, you're probably fucked already - get off the internet.
If your adversary is your local drug or anti-terror law enforcement, they're probably getting "hints" from the NSA and likely parallel reconstructing evidence against you based on that.
If your adversary is closer to local cops, MPAA/RIAA, your boss, your parents, your ex-wife's lawyer, or your ISP - this list provides a great deal of useful information.
Good question - I guess the quick answer is "the most anonymous and secure VPN in the universe isn't going to help if you browse to pages with Facebook like buttons in the same browser where you've got an actively logged in Facebook session - or even non-logged-in session cookies". (Substitute Twitter/Google/Yahoo/whoever as appropriate)
Browser/cookie hygiene is orthogonal to VPN/network hygiene.
I'm not convinced signing up with one of the existing VPN services is any significantly easier than signing up with Digital Ocean or Rackspace, and using the Tinfoil creator service. Have you tried it?
I'm sure it's simple for someone who is familiar with the technology, but what about everyone else?
How would your average Joe know which DigitalOcean plan to sign up for, or which settings to apply?
We tell them, right on the page. We even give you a coupon so it's free. There are no settings to apply.
The steps are:
1) Make a DigitalOcean or Rackspace account.
2) Make an API key by clicking <link> and hitting the button.
3) Insert it in this box.
4) Hit go.
That's it. Then you download/install the client (like you would with any other VPN service) and you're done. You don't need to know anything about the droplet size, or anything else.
Quite literally, my mom has done this, and she sells clothing for a living and is not technically adept.
His argument is also flawed in that he says you need to roll your own because the VPN service providers can be compromised. Well, where are you going to run your server then? Any endpoint can be compromised by the business that owns it weather it be your ISP, AWS, or whatever else you plan to use.
You need to determine who your adversary is (at least the category of adversary they're in).
If your adversary is The NSA, you're probably fucked already - get off the internet.
If your adversary is your local drug or anti-terror law enforcement, they're probably getting "hints" from the NSA and likely parallel reconstructing evidence against you based on that.
If your adversary is closer to local cops, MPAA/RIAA, your boss, your parents, your ex-wife's lawyer, or your ISP - this list provides a great deal of useful information.