
PIA open-sources and announces audit plans - rasengan
https://www.privateinternetaccess.com/blog/2019/12/dont-trust-verify/
======
CivBase
> We encourage everyone NOT to trust, but instead, to verify.

I love this. I also don't know how you could possibly make it work.

> We’re building an internal roadmap...

Keyword: Roadmap

Translation: We haven't started on this, but it's something we think we want
to do so we're going to start talking about it.

> ...to create a transparent and verifiable infrastructure...

How is a user supposed to verify the infrastructure? Do you mean you're going
to hire a third-party auditor and ask users to trust their verification?

I mean, that's better than nothing but it doesn't exactly enable _everyone_
"not to trust, but instead, verify." In this scenario, the auditor is the only
one doing the verification.

> ...in which no one, including ourselves, is permitted access to the servers
> through which VPN traffic flows.

Then how do you deploy the servers in the first place? How do you identify and
handle hardware and software failures? How are you defining "access" such that
this idea is possible?

~~~
ohthehugemanate
Regarding verifying the application running server side matches the expected
OSS version, Signal has an innovative approach as a part of their zero-
knowledge contact discovery system.

> Run a contact discovery service in a secure SGX enclave. > Clients that wish
> to perform contact discovery negotiate a secure connection over the network
> all the way through the remote OS to the enclave. > Clients perform remote
> attestation to ensure that the code which is running in the enclave is the
> same as the expected published open source code. > Clients transmit the
> encrypted identifiers from their address book to the enclave. > The enclave
> looks up a client’s contacts in the set of all registered users and encrypts
> the results back to the client.

>Since the enclave attests to the software that’s running remotely, and since
the remote server and OS have no visibility into the enclave, the service
learns nothing about the contents of the client request. It’s almost as if the
client is executing the query locally on the client device.

It's not perfect, but it is a huge improvement over blindly trusting the
software running on a third party server. There's a lot more detail, including
pitfalls, work arounds, limitations, and of course source code, in their blog
post on the subject :

[https://signal.org/blog/private-contact-
discovery/](https://signal.org/blog/private-contact-discovery/)

~~~
BuildTheRobots
I don't suppose there's any more information on how remote attestation works?
(Ideally something an idiot like me could comprehend).

I can't understand how, if the company has control of the code running there,
they can't just modify it to report as the known good code. It seems like it'd
be slightly different from the DRM example where the end user can't access the
code running in the enclave in the first place and doesn't know what it'd be
reporting back.

~~~
BuildTheRobots
I can't edit my comment, but after reading up on Intel's secure enclave last
night, I still don't get how this would work in practise. As the end user (me)
needs to know what the server is going to return in order to verify that, I
don't understand what's stopping the server from returning that anyway. Even
if it's using public key crypto to sign a challenge I send it, I still don't
understand how I can have any assurance that this key only exists inside the
enclave and isn't just running in software on the server.

------
JumpCrisscross
Switched to Mullvad [0] after PIA was bought by a malware distributor [1][2]
and hired Mark Karpeles as their CTO [3].

The network is faster. Wirecutter recommends them [4]. If you want it, the Mac
app is stable and just works. And they support both OpenVPN and WireGuard.

[0] [https://mullvad.net/en/](https://mullvad.net/en/)

[1] [https://torrentfreak.com/private-internet-access-to-be-
acqui...](https://torrentfreak.com/private-internet-access-to-be-acquired-by-
kape/)

[2]
[https://restoreprivacy.com/cyberghost/](https://restoreprivacy.com/cyberghost/)

[3] [https://www.engadget.com/2018/04/22/mt-gox-chief-returns-
as-...](https://www.engadget.com/2018/04/22/mt-gox-chief-returns-as-cto-of-
vpn-giant/)

[4] [https://thewirecutter.com/reviews/best-vpn-
service/](https://thewirecutter.com/reviews/best-vpn-service/)

~~~
freehunter
Any reason not to recommend TunnelBear, which is Wirecutter's #1
recommendation? I don't use either of them so I don't have a horse in this
race, just curious why you picked the #2 recommendation and not the #1.

~~~
minxomat
TB was acquired by McAfee, if you trust them then good luck.

------
craftinator
Wasn't PIA bought by an offshoot from a shady malware producing company called
Kape? Isn't PIA's new CTO Mark Karpeles, one of the ringleaders of the Mt. Gox
debacle, who stole millions of dollars and was convicted for it in Japan?
Nothing says safety like malware and fellons in your VPN provider.

Reddit thread with a decent timeline of events:
[https://www.reddit.com/r/PrivateInternetAccess/comments/e9fo...](https://www.reddit.com/r/PrivateInternetAccess/comments/e9fo3l/questionable_decisions/)

~~~
almostbasic
My name is Chris M and I am the CMO for Private Internet Access.

PIA management has prepared the following statement regarding Mark Karpeles’s
role at LTMH and we hope it addresses your doubts or concerns:

In 2018, Mark Karpeles was appointed CTO of LTMH, which was the parent company
of Private Internet Access prior to KAPE. However, Mark never had an
operational role in PIA and subsequently never had access to any part of the
PIA infrastructure nor any role in the planning or execution of the day-to-day
operations of PIA.

The role of CTO at PIA has been run collectively by Tommie P. (SvP Software,
joined January 2017) handling the software development side and Gaurav G.
(CIO, joined January 2015) handling the operational and infrastructure side of
the business.

Mark’s role at LTMH has predominantly been to manage development teams working
on FutureFC, general R&D, and providing a broader perspective of the industry
as a whole rather than PIA specific issues. His work is best summarized as a
valued external consultant for specific discussions related to the advancement
of our privacy and security efforts.

As part of the merger with KAPE to become Private Internet, Mark currently has
no operational role in the merged entity and is pursuing other endeavors.

~~~
Lammy
I'm sure his role is perfectly defensible and his experience a valuable asset
for PIA in this space, but I think the issue is the optics of such a hire and
what it says about other decisions that have happened or have yet to happen
regarding the sale/direction of PIA. It's just especially odd considering what
seems to me like obvious overlap between "People interested in having VPN
service", "People interested in Bitcoin", and "People who are distrustful of
Mark Karpeles".

~~~
almostbasic
I can understand how you would feel that way if Mark was hired as the CTO of
PIA, but as we stated before, he never had any operational role or access to
anything at PIA.

~~~
Lammy
Yep, I agree. That's why I said it was perfectly defensible. Getting burned by
Mark in the past causes me a bad _feeling_, though, and the world of feeling
and the world of logic often don't intersect, even within the same person.
Basically I acknowledge that my feelings aren't logical, but that doesn't make
them not exist.

------
gruez
>Verifiable Zero Access: Start! – We’re building an internal roadmap to create
a transparent and verifiable infrastructure, in which no one, including
ourselves, is permitted access to the servers through which VPN traffic flows.
We will keep you abreast of all progress, and moreover, this will be a
community-led effort. Verifiable Zero Access proves that we cannot log or
monitor your traffic.

Is this going to be "nobody can access it because we locked ourselves out
(trust us)", or some sort of trusted computing solution that's
cryptographically verifiable?

~~~
AlexCoventry
I've heard it's possible to set something like that up on AWS, but of course
Amazon could still access it.

~~~
vorpalhex
I've built a system like this recently for a payments platform. Access _is_
possible but requires rebuilding the environment (and thus blowing everything
away) as well as admin access.

~~~
roddux
Is it possible to _verify_ that you cannot access said system, though? How
would that even be done? In most scenarios I can imagine you're still rely on
the server telling you something about itself... which it can lie about.

------
stoicShell
> We have begun reaching out to external auditors and, in tandem, are opening
> up our operations to review by our users. This allows you to verify with
> your own eyes, whenever you want. WYSIWYG.

Technical side: color me very curious about that "our users" part. I can't
wait to see what it entails.

Business side: bold move, it may prove to be a blue-ocean-like strategy, if
substantiated. Interesting.

____

Some rambling about access, transparency and "open"-things

Most people don't know that under the terms of most democracies, in principle,
any citizen has the right to go to any public office and request basically
anything non-classified: documents, accounts, etc. The idea being that the
State is but the expression of the sovereignty of the People.

Obviously, no one believes for one minute that any 'normal' citizen will be
granted access to most things. It's just an artefact of idealism you hear in
law classes and political activism circles I suppose (and it's grey-ish-ly
somewhat applicable at the lowest, local level).

It would be interesting to see a new breed of "open-sourced" businesses
granting access to customers (like States would to citizens), businesses whose
value resides not in secret sauce — things like accounting, plumbing or VPN
are probably "solved" matters of public knowledge. Because they can afford
almost total transparency, they may as well weaponize it against rivals who
can't — or won't. In markets where trust is anywhere from high-value to
mission critical, this might just open wide a whole new blue ocean.

~~~
rutierut
> Obviously, no one believes for one minute that any 'normal' citizen will be
> granted access to most things.

In the Netherlands we get reasonably close with what we call WOB requests
(literally: Law of Public Governance).

It takes a long time before you get the data (months) and it gets manually
redacted but requests like for example:

I would like to receive all internal communication of the ministery of Health
with my name in the email body.

Generally, get honored.

~~~
emj
FWIW it's not limited to your name, at least in Sweden it can be anything, but
to some extent they can claim technical difficulties with performing the
search. There are cases were one such request took thousands of hours to
complete.

------
yellow_lead
> _Open Sourcing the PIA Clients_

Love this trend of privacy companies open sourcing clients and not servers.
(sarcasm)

~~~
dastx
But the client is all that matters. If the client doesn't send them your IP
address, there is no way for them to track you in any way, shape or form.
Their servers would implode if they tried. It's impossible. Your system is
private. Now be quiet and keep paying them.

In case it needs to be said, that's all sarcasm.

~~~
johnpowell
If your IP was never sent wouldn't it be impossible for them to send you back
the information you requested?

edit :: I think I replied to comment that has been edited between when I hit
"reply" and when my comment appeared.

~~~
Johnny555
There's an easy technical solution to that, you can just use a VPN service to
hide your IP.... when you connect to your VPN service.

It's VPN's all the way down...

I'm mostly joking, but if you purchase the second VPN anonymously (gift card
paid with cash, bitcoin, etc) this would do a pretty good job of ensuring your
anonymity against most casual snooping. It's not going to hide you from the
FBI, but it would prevent either VPN provider from tying your browsing
activity back to you (unless they cooperate with each other).

~~~
ddtaylor
If only there was some kind of service where everyone routed each others
traffic like a VPN with multiple hops by wrapping every message in layers of
encryption like on onion.

~~~
Johnny555
Admittedly, I haven't used TOR in a long time, but last time I used it, it
didn't work well for video, and I assumed most people using VPN's do it to
hide their porn habits.

I used to use a VPN to hide my browsing activity from my ISP (Comcast), but
now I have an ISP that I trust more, so pretty much only use VPN on public
Wifi to help protect my traffic.

------
neurostimulant
PIA Android client seems to be developed from a fork of OpenVPN Client for
Android (ics-openvpn) [1] which is gpl-licensed. The About screen contains a
link to the source code hosted on an S3 bucket [2] but it doesn't seem to be
publicly accessible.

Interestingly, despite being gpl-licensed, ics-openvpn seem to be commonly
forked by commercial vpn companies to develop their own closed-sourced Android
vpn client. The author is aware of this and post a faq [3] out of frustration.

[1] [https://github.com/schwabe/ics-openvpn](https://github.com/schwabe/ics-
openvpn)

[2]
[https://s3.amazonaws.com/privateinternetaccess/sources/andro...](https://s3.amazonaws.com/privateinternetaccess/sources/android-v10464.zip)

[3] [https://github.com/schwabe/ics-
openvpn/blob/master/doc/READM...](https://github.com/schwabe/ics-
openvpn/blob/master/doc/README.txt)

------
Havoc
That sounds like an impossible promise. I wish them the best pulling it off
though - would be amazing (and instantly copied)

Worth pointing out that PIA is openvpn compatible so you don't need their
client

~~~
magduf
>Worth pointing out that PIA is openvpn compatible so you don't need their
client

Are other VPN services not like this? How are you supposed to connect with
Linux then? Any why would anyone who cares about privacy want to use a
proprietary closed-source client?

------
etaioinshrdlu
The same day the Orchid project launches, no less...
[https://www.orchid.com/](https://www.orchid.com/)

~~~
swinglock
Is Mark Karpeles or any other well known criminals involved in Orchid? Is it a
pyramid scheme? I don't want to get burnt again or help fund scams.

~~~
etaioinshrdlu
Definitely not. The people behind it have great reputations and have good
reputations outside the crypto space as well. That doesn't mean it will work,
of course.

------
badrabbit
Incorporate in a country that has severe legal liability for breaking your
word such as switzerland or sweden(currently UK) and then we'll see. Short of
granting access to their hosting/IAM account how can I verify if something
else other than the VPN terminator can access traffic logs?

This raises even more eyebrows for me, I hope they back this up some serious
crypto,architectural design and audit goals/reqs. Even in AWS where a
commenter said something like this is possibble, your LBs and vpc/cloudtrail
like logs can still contain traffic and related metadata details.

Ooh this feels like such a smoke and mirrors show! Will they also be adding
this design change to freenode irc servers?

A VPN company takes over the largest irc network,for what profit? Freenode was
already advertising PIA like crazy. And now getting cozy with a for-profit
malware(read crimeware) operation related org that had since corrected their
old ways?

Please prove exactly how you can guarantee mosconfigirations, previously
unknown bugs,KVM console access(or iLO) can't be used to impant very useful
backdoor?

Linux servers? Yeah...if it was me I'll deploy the verifiable server, get
kvm/iLO and at the next scheduled reboot edit the grub menu and set
init=/bin/sh,mount the main fs as root ,implant any undetectable changes and
reboot.

If you want to regain trust do it in a way that either makes you criminally
liable or a civil contract that states all company assets,funds,profit and
personal assets/wealth of all involved owners will be redistributed to all
unassociated customers and users (even free users and random freenode users)
if you violate your promise to not log traffic in any way including Layer 3/4
logs, store logs that are correlations and transcriptions of observed user or
traffic events, or interfere with traffic in anyway, or if any founders or
associates have any ties at all with the UK government,GCHQ or any
governmental body or person at all. And if you can also clearly "open source"
youd revenue streams compleley and disclose any current or planned means to
profit as well as promise to disclose any future talks and plans of this
nature promptly then I think most of the allegations will lose ground in your
favor.

~~~
jlgaddis
> * your LBs and vpc/cloudtrail like logs can still contain traffic and
> related metadata details.*

Yep, and you can learn a lot about what your users are doing by capturing
Netflow data from the (router|switch) the VPN server is connected to.

I've never tried but I imagine that with enough data (traffic) in your
dataset, it might even be possible to get a pretty good idea of which
(de/un)encrypted traffic flows correspond to which users.

------
fouc
I remember taking a peek at the internal files of the PIA app in Mac back in
2013 and it looked like it was mainly ruby based? I guess it isn't anymore.

~~~
danieloaks
Yeah moved away from Ruby a while back. Took a little while to stabilise but
the new app is a lot better these days.

~~~
acodes
A wild D.O appears. Fun watching all this PIA stuff being discussed on HA.

------
sudoaza
I've been thinking for a while that is in VPNs own interest to do cross-audits
of no-log policy between VPN providers.

------
3leggedcatman
I thought it rather odd that Pakistan International Airlines would make their
software open-source, so I clicked on the link and found out that PIA was
something else entirely. Every time this happens to me I think of Ted Nelson.
Sigh.

~~~
jlgaddis
You could avoid this by looking at the domain name shown immediately after the
link text, I suppose.

~~~
3leggedcatman
I stand corrected.

------
mberning
These guys sponsor the street beefs channel on youtube. I find the company and
their guerrilla tactics fascinating.

------
Astropop
This is a really awesome move by PIA. I have been waiting for them to open
source for a while, so that's a good sign that this acquisition might actually
be a good thing.

How are you planning to choose auditors? Has anyone already agreed to be an
auditor?

------
knolax
> Random Audited Truths (I smell a rat!) – We have begun reaching out to
> external auditors and, in tandem, are opening up our operations to review by
> our users. This allows you to verify with your own eyes, whenever you want.
> WYSIWYG.

What if this gets used as cover to help exfiltrate data to their new parent
company/third parties.

