

Show HN: Responding to NSA spying with a simple consumer VPN service - rdl

The NSA metadata gathering and passive monitoring is quite upsetting, and we don&#x27;t have much confidence in legal changes happening quickly, so we put together a really simple consumer VPN service. We&#x27;re still cleaning up the UI and making the install process easier, but it should work for people now.<p>Yes, it&#x27;s based in the US, but there&#x27;s a big difference between &quot;will turn over data proactively&quot; and &quot;will push back on requests to the fullest extent of the law&quot;. Since we don&#x27;t fall under CALEA, there&#x27;s no requirement for us to have any monitoring infrastructure.<p>We&#x27;re focusing on the mobile experience for iOS and Android -- the best combination of platform security but also difficult to &quot;roll your own&quot; service.<p>Would greatly appreciate HN&#x27;s feedback on concept and implementation; still under active development.  Posting some free signup codes in the comments to try it out.<p>https:&#x2F;&#x2F;privacy.cryptoseal.com&#x2F;
======
47
The Biggest problem I have found with VPN providers is bandwidth. I just
installed DD-WRT on my router to use OpenVPN client on the router, the
bandwidth speed drops to a level that makes the setup totally useless.

It might be because of consumer grade router[1] have low computing power, but
the speed is so low that I highly doubt it. Yes I have tried multiple VPN
providers.

I have yet to find a VPN provider that can provide all of the following:

\- Guarantee Bandwidth

\- Take Privacy Seriously[2]

\- Support consumer grade router (with DD-WRT or alternative)

\- Do not cost more than my actual internet connection

[1] ASUS RT-N16

[2] [http://torrentfreak.com/vpn-services-that-take-your-
anonymit...](http://torrentfreak.com/vpn-services-that-take-your-anonymity-
seriously-2013-edition-130302/)

~~~
Spittie
I'm sure there are many legit VPN provider out of there, which really care
about the user and provide some hardware/bandwidth, but most are oversold
services (barely scam) with very high price for what they offer. I think the
solution is a self-made VPN out of a VPS. VPS nowadays are really cheap, and
you can get awesome deals with some very serious providers. Also, you can
easily get one outside the USA, for (in my opinion at least) increased
security.

For anyone interessed, [https://github.com/Nyr/openvpn-
install](https://github.com/Nyr/openvpn-install) makes installing OpenVPN a
breeze. For VPS deals, [http://www.lowendbox.com/](http://www.lowendbox.com/)
and [http://vpsboard.com/](http://vpsboard.com/).

~~~
icelancer
Absolutely agree. For those who have trouble setting up OpenVPN (it's a pain
in the ass) and want a simple solution, sshuttle works really, really well:

[https://github.com/apenwarr/sshuttle](https://github.com/apenwarr/sshuttle)

------
rdl
For the tech details: it's OpenVPN, PPTP, or L2TP, your choice. Yes, PPTP and
L2TP have "issues", but they're currently the easiest way to get a VPN on iOS
without a custom client.

~~~
lifeguard
These "issues" are critical in thwarting PRISM. More security snake oil.

~~~
mpyne
If enough people make it difficult enough to beat those implementation
"issues" then you still have security in the aggregate.

The Soviet soldier was almost always outclassed on a 1:1 basis by the German
soldier in WWII, but the Wehrmacht and Luftwaffe combined still were unable to
defeat the U.S.S.R.

------
richardwhiuk
I'm not sure how this is at all relevant to the NSA spying - the NSA are
gathering details from content providers (like Facebook, Google, Skype), so if
you use the VPN to access any of them you are still at risk, or if you
communicate using with anyone using one of those services.

~~~
rdl
It's not the whole solution, but the vast majority of NSA spying is passive
"over the wire" stuff. We _know_ they do that, pervasively, and even more, we
know foreign countries do that (and filtering, and in some cases lots of fun
tampering) on connections (e.g. Great Firewall of China). NSA has been doing
passive intercept since inception in the 1940s.

PRISM is somewhat ambiguous -- maybe it's a huge secret program where they get
blanket access to big sites directly, maybe it's just a UI layer for managing
subpoena or warrant results.

Protecting your metadata is one thing where a VPN works pretty well. There are
still some more advanced attacks (looking at the encrypted traffic flows on
lightly loaded links, you can infer what site/activity one is doing, even
without decrypting, unless you pad all communications).

~~~
tlrobinson
If the NSA is actually doing widespread monitoring/collection of backbone
traffic will a VPN actually help at all? End-to-end encryption seems like
right solution.

EDIT: nevermind, VPNs do offer obfuscation of "metadata", i.e. your IP
address, which I guess is what you were saying.

I wonder if you could create a VPN/Tor-like network that automatically picks
"exit nodes" closest to the destination to avoid taps... (or even better,
avoiding known tapped routes)

~~~
rdl
We actually do some pretty interesting internal routing for that, but only
have 4 geo locations so far. Adding more, and adding some "unique" security
features in the future, but wanted to get something out there now. Doing
"cross border" that way is probably the most meaningful, assuming many
countries set up their monitoring on international links. Being aggregated
inside a VPN service helps a lot there.

End to end is mostly the right solution, but I'd like to see message/object
based encryption (conf and signing) rather than just transport encryption,
too.

(other metadata includes DNS resolution, and of course all the other protocols
and things which aren't encrypted -- it's not JUST an issue of hiding your IP)

~~~
tlrobinson
So it's possible different hosts will see different IPs for me depending on
where they are in the network relative to your locations?

~~~
bifrost
Yep! Ideally you don't want to use different IPs while visiting the same site
because they'll likely block your account, but for sites on different sides of
the globe, this is going to happen.

------
prayag
One thing the NSA fiasco has done is made people aware of the security and
privacy issues on the internet and it's a great time to launch a service like
this. Hopefully we will have most of the internet users using VPN (and
hopefully Tor).

I also love the fact that they have servers outside of the US, makes it a
little bit harder for the US government to spy on you.

~~~
rdl
Yes, we love Tor, and are looking at ways to help Tor and make Tor more robust
and easier to use as well.

It would be ironic if the NSA fiasco ended up accomplishing half of the NSA's
mission (protecting domestic networks) by getting everyone to improve security
and encrypt-by-default, at the cost of making the NSA's SIGINT mission vastly
more difficult.

------
rdl
Coupon codes: hn50hnaeS6SaeR is 50% off for HN.

~~~
jvandenbroeck
What's the difference between you and eg.
[http://unblockvpn.com/](http://unblockvpn.com/) who offer easy VPN access for
less than $5 a month?

Or how is your product easier to use?

~~~
rdl
There are ~hundreds (thousands?) of VPN providers worldwide. I've seen as low
as $1-3/mo -- and some which are ad sponsored and free. I haven't used them
all, so I'm not sure of the specific advantages and disadvantages of each.

We have some differentiating security features vs. all existing VPN systems
coming; this is just a show hn to get feedback.

We've mainly worked on the corp VPN as a service (which does internal
monitoring/filtering/IDS/etc.), but at $100/mo, it's not really an option for
consumers. Due to all the NSA stuff, people were asking for a consumer option.

------
thaumaturgy
I intend absolutely no offense here. I love seeing HN projects posted here.
_But..._

One of the major issues that has been raised recently is, essentially, trust.
Especially in the market that you'd be targeting -- individuals that no longer
trust various online services.

You can say that you will fight requests as much as possible under law, but
how is that different from what Google, Facebook, and others claim to do?

The NYTimes just published an article claiming that Skype was backdoored by
the NSA in cooperation with a small team of Skype developers, in secret, back
in 2011. For the sort of people that are concerned by that sort of news, how
are you going to convince them that you're different?

~~~
B0Z
This exchange may provide some insight...
[https://news.ycombinator.com/item?id=5914546](https://news.ycombinator.com/item?id=5914546)

~~~
thaumaturgy
Thanks. I was also alluding to the service being compromised in the future
though. i.e., whether or not they've come up with something new, above and
beyond the usual assurances.

------
B0Z
One of the items I'm going to be most interested in from your service (when
the time comes for you guys to start working on it) will be the TOS and/or
practices you put in place.

I've been a ViprVPN customer before. I had a question or perhaps it was an
issue I called them about and the person I was communicating with told me what
VPN server I last connected to and when I connected. Sure, to do any kind of
troubleshooting, this would have been necessary and important information. But
I was concerned enough about the unsolicited disclosure that I cancelled the
service immediately.

DuckDuckGo can claim a reasonably high interest in protecting my privacy
because they simply do not collect data that the big search engine does.
Collecting and storing this data would make them a target for undisclosed,
unchallengeable, and unwarranted surveillance. This has enormous appeal to me.

Having said that, have you guys discussed (loosely) what data you will be
collecting?

~~~
rdl
Our goal for the privacy service is to collect as little as possible. (the
corp service is totally separate tech and infrastructure and has user-
configurable logging). We're trying to figure out what the absolute minimum
is. We're also looking at Bitcoin and other forms of payment.

For a $5-10/mo VPN, we're probably going to handle most problems by "open a
new account, here's a service credit", so we don't actually need to debug
much. We have a vested interest in collecting the minimum information possible
so there's no point in subpoenaing it from us.

------
kumarski
Thanks for making this viable for noobs like me.

~~~
Estragon
There are already plenty of equally viable options for cheaper. I hear good
things about [https://www.privateinternetaccess.com/pages/client-
support/](https://www.privateinternetaccess.com/pages/client-support/) , and
it is about 1/3rd the price.

------
davepeck
Howdy, CryptoSeal guys. It was great grabbing a beer with you in SFO earlier
this year and talking about the VPN space. GetCloak.com continues to go well.
I didn't realize you were heading in the consumer direction. We should
probably catch up again someday soon! ;-)

------
epoxyhockey
I like the idea of more VPN providers coming online. One thing that may be
helpful is to differentiate yourselves from the other VPN providers. For
example, I have a VPN provider. Should I switch to cryptoseal.com?

~~~
rdl
Honestly if you're happy with your VPN provider right now, it's probably not
worth switching yet. We try to do the baseline VPN service as well as possible
(performance, support, etc.), but it's not _that_ different from other
providers, so please consider us if you're not happy with the current
provider, but otherwise you're probably just as well served with whatever
you're using now, for now.

We're working on some things which will make it compelling to switch. We put
it up now because a lot of people don't have VPNs today -- so hopefully adding
another provider convinces some additional people they could use a VPN.

------
B0Z
Without having visited your URL, or read your TOS, or evaluated your service
for ease of use / viability, I will tell you right now that I would gladly pay
a cost equivalent to what I pay monthly for broadband for a VPN service that's
reliable and can protect 100% of my Internet traffic in transit. (Exit point,
destination points are a whole 'nother animal.)

~~~
rdl
So, since you sound like a somewhat higher end user:

1) What platforms do you care about? Do you mainly need service from one fixed
location, or from home/office network plus mobile?

2) How close does it need to get to the endpoints? We have 4 exit nodes right
now; we'd probably need ~50+ to be very close to most services. There's still
a portion which is "in the clear" (although, use https...), but it becomes
very impractical for NSA or especially others to passively tap all those
locations (since they wouldn't be IXes necessarily, and intra-colo links don't
get routed through buildings like ATT 611 Folsom St.

~~~
B0Z
There are 3 platforms I care about, Windows, Android, and Linux.

For the last 2 weeks I've been taking actions that attempt to pull-back my
public footprint and re-exert control over my privacy (admittedly illusory) to
a point where I feel more comfortable. One of the biggest "oh crap" moments
was when I realized my phone is powered by software derived from a Google
product.

Windows desktop should be straight forward enough to connect.

Personal Linux server farm with services that are open to the general
Internet, but for outbound traffic not related to something I serve, my
servers are at the mercy of the security of the feed I have.

As far as how close it has to be to an exit, I'm completely indifferent. There
are trade-offs that I'm willing to accept (in some cases, extreme) as I record
over 20 years of habitual internet behavior.

~~~
tmzt
If you have a Galaxy Nexus S or similar you could try the FirefoxOS image, the
base Linux system on there is quite simple and everything seems to be
available in Github. Of course you still have the baseband to worry about, but
apart from a few OMAP850s you're going to have a hard time getting away from
that.

------
smegel
Do you do ANY kind of logging?

~~~
rdl
We do logging on our web server, obviously the support ticket system, our mail
server, coupon code redemption, etc. Billing with Stripe -- presumably they
keep records for a long time. We don't see your CC, but are notified of
payment, etc. (which is why Bitcoin is very attractive to add, and maybe other
systems.)

The privacy VPN itself currently does zero logging. The best practices seem to
be either zero logging or very short retention logging. We'll commit to one of
those (but most likely zero logging) soon (working on a very clear and plain
language ToS). All the stuff we'd handle with logging is instead done by going
out to top-500 sites (or anything reported to us as not working), rather than
monitoring use.

We don't currently do "anonymization" so web browsing can be an issue. We're
looking at that with some kind of opt-in proxy.

~~~
smegel
> We don't currently do "anonymization" so web browsing can be an issue.

What does that mean exactly?

~~~
bifrost
Browsers leak information. Profusely.

We have looked at various ways to solve this, but generally the easiest thing
breaks a bunch of other "stuff". We'd like to not break stuff, but still be
private. We have a couple strategies but haven't deployed them yet.

~~~
smegel
We are talking about a VPN here aren't we? Won't anything the browser "leaks"
go down the same pipe and get spat out your end? Assuming your using In
Cognito and connecting to TLS websites...I can't imagine how there could still
be a significant privacy risk.

~~~
dfc
He means that the browser leaks information to the website that it is
connecting to. More info:

[https://panopticlick.eff.org/browser-
uniqueness.pdf](https://panopticlick.eff.org/browser-uniqueness.pdf)

------
buro9
Payment is by Stripe, how long are records of the transaction kept by
yourselves? Are you associating a card transaction to an IP address in any way
that could result in you ever having to release that data?

~~~
rdl
We're adding other, more anonymous payment options, which is probably the best
solution.

------
prg318
Where are the VPN servers located geographically? It might be wise to include
where your servers are located - and perhaps even a test IP address that users
can use for latency / packet loss testing.

~~~
rdl
US-West, US-Central, US-East, UK right now. Adding some more in Europe and
Asia ASAP.

A (current and historical) performance monitor, uptime monitor is a great
idea.

~~~
gridscomputing
When will the Sealand node come online?

~~~
rdl
Since it's ethernet-distance to the UK node, ... (after I left, HavenCo ran
servers out of London Telehouse for a long time claiming they were "on
Sealand". It was lulz when the place caught on fire and everything was
unaffected. Previously, we had 4xE1 running from border routers at Telehouse
back to shore near Sealand and then a microwave link, but I guess they figured
this was cheaper and more reliable and no one would check... :)

------
bliker
you broke #1 rule of the internet: "Logo in header must point to the
homepage."

~~~
rdl
At least the text next to it does, but will fix -- the traditional error is
"blog header links back to blog vs. corp site" which we've solved for now (by
not having a blog).

------
alex_doom
For the noobs, what's the difference in OpenVPN between UDP and TCP?

~~~
rdl
UDP will give you better performance. TCP will work better in pathologically
bad network conditions (either some kind of firewall, or some specific kinds
of network loss).

The issue is that "TCP in TCP" can lead to weird interactions where you delay
one packet, wait for retransmit, etc., and essentially a single packet lost
can eat up a second or two.

In general I'd always try UDP, and if it doesn't work, fall back to TCP.

They're equivalent security -- it's just network performance.

~~~
alex_doom
Thanks! Good to know. Service worked flawlessly.

------
davenull
How about one of those tryout codes?

