[masmullin]

> AWS instance is easily traced back to you.

Define "easily" as used in this context. Easy is a product of whom your enemy is.

Is your enemy your ISP? If that's the case, I don't think it's "easy" for them; they would have to pay Digital Ocean or Amazon to get your data, and probably isn't really that valuable to them.

Is your enemy the MPAA? If that's the case, I still don't think it's particularly "easy" for them. Unless you are a MAJOR pirate distributor, the extra effort(money) to track you down isn't worth it.

Is your enemy the NSA or the FBI? If that's the case, then yes, it's trivially easy for them to Subpoena digital ocean or amazon to get your data, but similarly they can use techniques on PIA to get your data too.

In the end, it comes down to whom you trust with your data. And whether you want a managed VPN service, or are willing to put up with the inherent problems of maintaining your own system. will PIA sell your surfing habits to advertisers, will DO sell your surfing habits to advertisers? Who gives faster speeds?

[blacksmith_tb]

I agree overall, but PIA has may not be the best example, as they have been shown to not keep any data that could be subpoenaed[1]. One nice thing about running your own (if your client machine is on Linux) is being able to use Wireguard[2], which is quite a bit faster than OpenVPN, for example.

1: https://torrentfreak.com/vpn-providers-no-logging-claims-tes...

2: https://www.wireguard.io/performance/

[sigjuice]

Never heard of Wireguard before, but it looks really cool, especially the mosh-like roaming. However, I found this warning on their website.

WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change.

[y4mi]

its also versioned with a double zero: v0.0.20170517 and the repositories are marked unstable.

also, the protocol itself is still considered 'version 0' with lots of possible changes on their website.

looking forward to it maturing though.

[SkyMarshal]

Also worth checking out Shadowsocks, which was originally created to circumvent the GFW:

https://shadowsocks.org/en/index.html

https://en.wikipedia.org/wiki/Shadowsocks

[closeparen]

The MPAA will serve an automated DMCA notice to your VPS provider, who will terminate your account at the very least.

[loader]

Amazon's not in the business of terminating accounts the second a copyright request comes in. They want to build trust with their customers that they won't just turn you off on a whim.

[daxorid]

I can vouch for this, from the other side. We routinely catch AWS hosts running password-guessing bots against our login forms. Emailing abuse@amazonaws.com doesn't seem to lead to reductions in our fail2ban and custom tarpit logs.

[MichaelGG]

Claiming someone is brute forcing your logins doesn't have the legal weight of a DMCA notice. Why should they do anything? DMCA provides provisions for counter notice and legal remedies for false filings.

[cat199]

Is it the same hosts?

Having worked web security -

This is always a battle - for big operations you've got people farming out signups using stolen data to random 'buddies' on the other side of the world with the dark hat team ready to stand up outbounding traffic as fast as they can get a processor to execute it on, not to mention the hosts that get cracked automatically..

It's whack-a-mole on crystal meth.

[energybar]

https://forums.aws.amazon.com/thread.jspa?messageID=399950

[loader]

That's their official response, and rightly so it should be. Talking from experience, I've had many requests for different websites I run and almost all were frivolous. Some content I took down anyways, and some I explained to Amazon why it was frivolous. They've never cancelled any of my services or even threatened to.

[Feld0]

Not all hosts are US-based, though; some hosts in other countries prefer to get a court order in their own jurisdiction before taking action against a customer.

[awalton]

This doesn't mesh with reality; The sea of torrent seedboxes in existence would be dropping like flies and not growing.

[closeparen]

Aren't torrent seed boxes typically in jurisdictions hostile or indifferent to US copyright law?

[vosper]

This exact thing happened to me on DO; I got an email from them (also automated) telling me to cut it out our have my account terminated. I was traveling overseas and had no other option for watching my shows, so I switched to PIA.

[milankragujevic]

FYI MPAA can and will go after you even for a small site with 100 of visitors daily. They went after me, tried to sue me, got my servers shut down and sent lots of scary emails to my personal email.

[zurn]

It's easy for anyone who can do traffic analysis on your traffic, eg your ISP and mass surveillance perpetrators. And whoever your ISP decides to sell or give this data to.

[rapind]

Well your traffic is encrypted (assuming OpenVPN), so all your ISP should be able to see is the amount of data to and from your VPN.

[zurn]

They can of course see the individual packets and their exact timings. This can be trivially correlated with egress traffic from your VPN gateway to other ISP affiliated networks or web properties. And since it's your private gateway, there is no other traffic mixed in.

Traffic analysis is a term of art in cryptanalysis and SIGINT, in case you were not familiar: https://en.wikipedia.org/wiki/Traffic_analysis

[rapind]

I was unaware. Thanks for the info!

[ereyes01]

Digital ocean outed me to the MPAA (they forwarded me a warning), but they didn't cancel my account. I now proxy my torrent client on top of the VPN.