

Show HN: My new app, Cloak for OSX - davepeck
http://blog.getcloak.com/2011/05/12/cloak-stay-safe-on-the-internet-with-cloak-vpn/

======
davepeck
Hi, all. I just got the MVP of my new app out the door and I'd love to get
your feedback on it!

If you'd like to give it a go, drop me an email [davepeck at getcloak.com] and
I'll send you a special Hacker News invite code. (Or you can just sign up on
the Cloak home page.)

Cloak is a personal VPN, only (1) it's super easy to set up and get going, and
(2) we terminate in the cloud [AWS], which means we can scale dynamically to
meet load and can pick a data center near you to decrease the latency. Under
the hood, Cloak is built on top of the OpenVPN stack.

Cheers, and thanks for checking it out!

~~~
theDoug
You've got a good marketing page/site for it so far, good work keeping the
Mac-like look and feel. Having never paid for such a service your prices seem
perfectly reasonable to me for what it provides. Great luck, guys!

~~~
davepeck
Thanks very much. We put the pages together pretty quickly (MVP!), but I'm
constantly in awe of how fast Nick (our designer) makes things look... solid.

------
robterrell
I like your site, but I'm unsure how this would be better than simply using
the built-in VPN stuff. I have paid VPN account configured and I use it when
on public wifi.

Also, I can share my VPN account with my mobile devices -- can I do this with
Cloak? I don't think OpenVPN is iOS compatible.

~~~
davepeck
Hi Rob,

What built-in stuff do you use (and who is your VPN provider)? While OSX is
far better than most at making configuration of secure connections easy, we
think there is still a long way to go. Cloak requires nothing but your
username and password -- no alphabet soup anywhere.

(We also think our price/performance is substantially better than the average
provider.)

As for iOS: stay tuned!

~~~
lamnk
Snow Leopard has included built-in VPN support (IPsec and L2TP, no OpenVPN).
And it is very easy to configure, admins can export VPN configuration to a
file and distribute it to end users. Install the VPN profile is just a double
click away. After configured there is a icon in the menubar to
connect/disconnect, very much like your app.

I used it to connect to my university's VPN server (a Cisco Concentrator
3000). Works even better than the proprietary Cisco client.

~~~
davepeck
Yes, I've used this stuff before. It's great. It's also not specifically tied
to a scalable service, or directly integrated with billing and quota
management, etc. We think there's room for both things depending on
circumstance.

------
kylec
This is a compelling idea, but how do users know whether or not they can trust
your service? You would have access to all unencrypted internet traffic from
your users while the app is active.

~~~
davepeck
Hi kylec,

There are a few components to trust.

One component is trusting that the software does what it says it does. We're
engaged with some reputable security consultants to ensure that we're
delivering what we promise. We'll have (lots) more to say about that in the
coming weeks and months.

The second component of trust is being a trustworthy, transparent company.
Building that kind of trust takes time and presence in the industry and the
community. We've tried to strike the right balance with our initial MVP
website (see the features page at <https://www.getcloak.com/about/features/>)
but we know we have a long road ahead of us. Let us know how we did.

In some sense, our problem of trust is no different than any other VPN,
security, or service provider that deals with sensitive data. Trust is
difficult and we'll work hard to earn it.

Thanks!

------
gillygize
Living in Japan, I am familiar with a number of people who might try to use
your software to make it appear as though they are coming from the United
States, so that they could access Hulu or similar websites which are blocked
abroad.

I know that, with AWS, you can choose a data center in Asia, so I suppose this
type of action will not necessary work with Cloak. I am just interested if you
have a policy for dealing with such behavior? It might represent a drain on
bandwidth, for example.

~~~
davepeck
Hi gillygize,

Our full terms of service and policies are listed here:
<https://www.getcloak.com/policies/>

There are a lot of shady looking (to me, at least) VPN providers that make a
big deal about how you can pretend you're in another country, etc. To me,
that's code word for "you can do bad stuff with us." We're not interested in
that -- we think that security should be easy for everyone -- and so, yes, we
get to decide where your back-end is located. There are other abuse issues
unrelated to location that we've taken pains to prevent, too.

------
dedward
It seems to me that the largest problem with this type of service, however
it's dressed up, is on the VPN endpoint. We could argue forever about which
transport is easier/has more security/etc - but if the VPN endpoint is not
extremely secure, resistant to subpoena, etc - then it's not all that useful
over a regular homebrew vpn.

~~~
davepeck
It depends on your needs. If you have the tools and skillset to set up and
maintain your own endpoint, and you're willing to spend the time to do so (or
you believe you can only trust it if you do so) then no VPN provider like us
makes sense. We think there are a lot of people who don't fit into this
category.

(Also: it's on our roadmap to let users create arbitrary secure networks with
Cloak [aka connect multiple clients together rather than run through our
endpoint.] It's not exactly the first thing on our roadmap, but we'll get
there ;-)

~~~
X-Istence
That second item mentioned in the parens, reminds me of Hamachi...

------
maqr
I've seen so many of these VPN-for-rent services that this is becoming an
obligatory reply. But I don't see anyone saying "ssh" on the comments yet, so:

Here's how to tunnel on OSX via ssh:

    
    
        ssh -fnNMD 8080 -S ~/.tmp-ssh-socket you@server.you.own && sudo networksetup -setsocksfirewallproxy Airport localhost 8080
    

Then when you're done:

    
    
      ssh -S ~/.tmp-ssh-socket -O exit localhost && sudo networksetup -setsocksfirewallproxystate Airport off
    

That will set your ssh server as the system-wide socks proxy.

Granted I don't have the time to wrap a pretty UI around it, but those
commands work, and I trust my own servers more than any service.

If anyone _does_ have time to wrap a pretty UI around it... OpenCloak could
exist mere hours after the commercial project went into beta :)

~~~
kelnos
Except it wouldn't be OpenCloak... it'd be
OpenCloakForPeopleWhoHaveShellAccountsOnServersSomewhere, which is much less
useful to your average -- but security-conscious -- user.

~~~
semanticist
You could feed it your Amazon authentication details and let it bring up an
EC2 instance automatically.

That would make it functionally equivalent to Cloak.

~~~
kelnos
Don't you need to specifically sign up for AWS as well for that?

------
capnrefsmmat
Have you considered some sort of pay-by-usage (by time, by bandwidth,
whatever) plan for people who don't know how often they'll need a VPN?

It's not every month that I'm in a hotel or a coffee shop, so it's hard to
justify a monthly subscription.

~~~
davepeck
We've heard this from several people and are investigating what a reasonable
model would be. (Bandwidth is the key driver of our costs.)

I would say that our current (beta) pricing is stake-in-the-ground, so
anything you can tell us about how often and how much you'd use this would be
very helpful.

------
tshtf
Quick question about your implementation. Do you generate a key for each user
using PKI, or is there a shared key for all users? I had a previous VPN
provider that used a shared key for each user, which was a security issue.

~~~
davepeck
Wow, that's not a very good way to use keys. ;-)

We have our own authentication mechanism that ties into our billing and quota
machinery. So no such problems with Cloak.

~~~
moe
Using euphoria[1]?

[1] <http://www.eurephia.net>

~~~
davepeck
We rolled our own actually.

------
haukurgud
Very cool stuff, something I would most like use myself :)

~~~
davepeck
Awesome! Drop me an email [davepeck at getcloak.com] if you'd like the special
Hacker News invite code. ;-)

------
vertr
This isn't entirely constructive, but I like your design. It's close to some
of the stuff I've been building lately, and gives me a few ideas for my next
design project.

~~~
davepeck
Thanks, I'll pass that on to our designer, @thecropsie.

