Hacker News new | past | comments | ask | show | jobs | submit login
NordVPN sued by Torguard for blackmail [pdf] (torguard.net)
168 points by rasengan 14 days ago | hide | past | web | favorite | 146 comments



Had a quick skim; it seems at a glance like someone from TorGuard badmouthed NordVPN on a youtube comment (sigh), so NordVPN apparently in response threatened to disclose "trade secret information obtained by NordVPN regarding TorGuard’s systems" it obtained via a hosting provider TorGuard used which is owned by the NordVPN people. This apparently involved some pretty sketchy stuff like sending people to the house of a TG employee to intimidate them.

Whoops.

What kind of 'trade secret information' could a vpn provider be blackmailed with though? What kind of information could you gleam as the owner of a 'service provider' for such a use? I'm suffering from an apparent lack of imagination here.

Either way, this looks pretty messy and as a NordVPN user, I'm surprised how amateurish this all seems.


Reading the parent pdf vs Nord's response [0] I'm slightly more inclined to believe Nords version of events here...

0: https://nordvpn.com/blog/torguard-lawsuit/


Nobody comes off looking particularly good here. If these corporations are going to act like grade schoolers calling each other names on the playground, I'm inclined to not use either of them.

I used NordVPN for about a year a couple of years ago and I found their quality of service unsatisfactory. I've been using ProtonVPN for about a year now and I've been very satisfied. But that's just my personal experience and YMMV.


But how did NordVPN find a vulnerability in their trash-talking competition in the first place? What were they poking at and whey were they poking it?


Exactly...


I'm not sure, their response could be fabricated too. I'm interested in if Torguard has any evidence of them physically approaching their employee.

> Within an hour of this in-person and unannounced visit, the same TorGuard contractor received unsolicited correspondence from an employee at NordVPN. This correspondence stated that NordVPN had received certain of TorGuard’s confidential and trade secret information and requested to set up an instant message chat to discuss this with TorGuard.

Also, according to both parties they communicated with each other with evidence. So all either party has to do to claim their innocence is submit the emails/communications they claimed to have.

---

The DDOS part I'm very weary about. What evidence does torguard have that NordVPN was the one carrying out the DDOS attacks? I'll admit I haven't thoroughly examined the entire document, but they don't really seem to state how they know NordVPN was behind the attacks, they just list the dates they were attacked. Given the nature of DDOS attacks, they could be from anyone.


On the DDoS...

I'm more inclined to say they don't know who it was, but pointing fingers, and Black Friday to maximize the potential damages reward.

The legal case also says "unknown individual"; so they could be a run-of-the-mill reporter or something.

A lot of what Torguard is saying in the case is pretty benign. An email from header can be faked, trade secrets, if left on the open web... aren't really secret anymore.

Nord isnt in a clean place either. Their response is making claims that the legal case doesnt even touch.


What if I told you that a lot of these "VPN providers" were shell companies built to explicitly facilitate access and tools for crime / espionage with the premise of having users there as cover.


Not something that many HN posters will be familiar with, but if you're a holder of significant pieces of ARIN or RIPE IP space, you'll inevitably be approached by a number of suspicious looking companies that want to "rent" your ipv4 space (by the /24 block) for VPN/proxy usage.

The end result if you actually fall for their bullshit is that your IP space will be listed in every RBL until the end of time, and will have a bottom 5% rank in every IP space reputation/antifraud system until the heat death of the universe.

Every time I've been approached by these clowns, I've spent a cursory 3 to 5 minutes trying to find an actual business behind it (names of real humans, street address that isn't just a mailbox, location of real ISP infrastructure equipment at some real IX points) and failed to find anything resembling a legitimate ISP.


I'm just curious, do you own/work for a company with a bunch of ip addresses? Or did you buy them for a homelab?

Also, is there an "affordable" way to own an IP?


The former. Second question, not really, and you never own an IP, you just have permission from Arin, ripe, apnic, etc to use it.


>What if I told you that a lot of these "VPN providers" were shell companies built to explicitly facilitate access and tools for crime / espionage with the premise of having users there as cover.

Interesting. I mean, Tor was was originally developed by the Navy as an OSINT tool, and later released because an "anonymity" network only used by the Navy isn't very useful.

More and more often non-state actors are doing what used to be in the purview of intelligence services, so it passes the sniff test.

But without specific evidence all I'll say is "plausible, but unconfirmed" :)


Oh trust me, I'm well aware of "VPN providers". Just checkout luminati.io . See how they offer an SDK so "You can offer the user a choice between advertisements or a bit of background data usage"? I asked, and they are only interested in partners with 100k active users a month. Right, like a legitimate company with that many users is going to use luminati.

Or oxylabs.io who I think owns luminati?

I'm also aware that many of the VPNs are owned by the same parent companies.

And also that VPNs are ridiculously over marketed. They don't "add security" for most people, they just move who you're trusting from your ISP to the VPN company. Right, like I want to trust a company registered in Panama with no other existence outside of this year not to sell my data.

---

tl;dr - I don't trust any of them. If I want a "VPN" I just ssh-tunnel into a VPS from an established company that I purchase with a different account. Could the VPS provider do fishy stuff? Sure, but I trust them a lot more then these "VPN" providers.


More on how luminati and other "residential ip" providers work here: https://medium.com/@xianghangmi/resident-evil-understanding-...


Looks like Luminati is also explicitly getting developers to put a luminati proxy client into their apps and have users opt into using that instead of getting fed advertisements.

https://luminati.io/faq

Between your link, and the luminati faq's, I definitely have more questions then when I started looking at these articles.


Luminati didn't start off like that. They started by burying what they were doing in a "free" vpn.

I asked, and they are only interested in partners with 100k active users a month. They REALLY REALLY wanted to talk to me over skype. Right, like a legitimate company with that many users is going to use luminati.

The use case of luminati is almost entirely grey/black hat. Their history is laughably sketchy. Unless anybody knows of any apps that use the SDK and ask for permission, I suspect that FAQ page is just for show. Again you have to be a big player to even use it, it's not a stretch to believe they don't "enforce" the consent rule.


Wow, very interesting read. Thanks for bringing this to light.


Wow, that's a good read.

+1 on ssh + vps. People will say it isn't as anonymous as the shared vpn's and while that is somewhat true, it is still more than sufficient to remove your home IP from logs. Short of scary letters and warrants to the VPS provider, people won't really know who you are. You can also automate the rebuilding of proxy nodes to get new IP's, as most VPS providers have an API for automated rebuilds.


Exactly this.

For non-state actors my "data" is gone. You'd need a warrant to get data from my VPS provider, so for most of the common threats I'm pretty anonymous to non-state actors.

Maybe you don't want your employer to see everything you search? Interestingly for programmers the ssh-tunnel is perfectly explainable, especially if you do most of your browsing in the clearnet, and only some over your ssh-tunnel.

If your threat model includes state actors (doing something illegal hmmmm?) then I would recommend doing something a bit different, but for what most people are using services like Nord for ssh + vps should be fine.

EDIT: If yall are torrenting then just get a 10$/mo seedbox, you'll thank me later.


Are there any high quality VPS providers that have a way to sign up and pay anonymously with Monero (or similar), manage via tor browser, etc?


This here is assuming you don't have a nation state actively trying to track you down. Otherwise see [0]

One option is to use basically any provider + prepaid visa cards. Just access the website over tor or a VPN you semi trust. Sure it's technically traceable but not without a lot of trouble.

Keep in mind that once the VPS provider is issued a subpoena they still have access to your connecting computer's IP. They then have to issue a subpoena to your ISP for your account information. The only way to hide your IP is to use a proxy or a vpn... Oh wait, yeah that's the issue. See [0]

I personally just recommend using whatever you'd like, Vultr, DO, scaleway, etc. Feralhosting isn't anonymous but they uh... don't care what you really use it for cough torrents cough.

[0] If you're REALLY trying to be fully anonymous then you'll need to put on your blackhat. I would start with planting a raspberry pi in a business, library, coffeeshop, etc. You can use that IP as a starting point. You won't want to use only that one IP most likely, so you're going to need more proxies/servers, most common method is botnets. This really isn't worth the trouble to 99.9999% of people.

Edit: I guess I'm estimating there are ~7,000 people in the world who it's worth the trouble to do.... Actually that might be accurate, cool! :D


I've tried using prepaid cards with VPS providers and only found one that still took them (as of a couple years ago). Most won't take gift cards (prepaid visa) any more.


Hmm I was wondering if that was the case nowadays.

Honestly I don't think the extra step is worth it since the VPS will still know your origin IP in the event of a subpoena anyway.

You could try https://privacy.com but ironically I doubt it'll help much in terms of privacy. (I use privacy for convenience, as it essentially mitigates your card numbers being leaked - they're locked to the vender and you can impose spending limits)

Unfortunately I doubt there's many people who want 100% privacy that you'd want as customers if you're a VPS provider. I know Vultr accepts crypto but you have to prove your identity first (still great if you're a crypto advocate as privacy isn't the only benefit).

Otherwise you're stuck with resellers and grey-market providers. You could try "bulletproof" hosts from various uh-greyhat-forums but trusting those is very mehhhhh.


If I were taking such measures, I would just park near a coffee shop and use their wifi, using hardware I paid cash for and periodically changing my MAC address.

VPS providers can log connections and you won't really know how long they retain the data until it matters.


Wouldn't Tor hide your ip from the VPS provider even if they're subpoena'd?

EDIT: I realized this question might be confusing in this context. I'm not talking about torrenting large files (which you wouldn't want to do over Tor). I'm just wondering if it's possible to run a VPS with 100% anonymity.


IIRC can't an SSH tunnel leak your browsing through DNS leaks, or am I misunderstanding? I thought you usually want to use an actual VPN protocol like Wireguard.


socks4 leaks DNS requests, socks5 can tunnel them as well.


Stick with the big players, PIA, airvpn. I trust those two.


At the end of the day they're mostly just fancy OpenVPN profiles. The entire space is fishy AF IMO.

I'm thankful that linustechtips seems to evaluate their VPN sponsors at least. I believe they dropped tunnelbear in favor of PIA because of similar concerns.


Tunnelbear was acquired and all sponsorship dropped, he actually mentioned it on one of the derbauer overclocking posts from Computex this past week.

PIA has cross pollination with IP blocks owned by Micfo subsidiaries as well. They're all like 2 degrees away from each other.


Oxylabs and Luminati are competitors. They don’t own them.


Regarding the DDoS part, the claim seems to be that the attacks were based on the secret information NordVPN possessed:

"35. The DDoS attacks directed against TorGuard were based upon the Information— the nature and way they occurred and were timed made it patently obvious that the attacker had obtained the Information from Collective 7 and was utilizing it as a roadmap for DDoS attacks."


See that's the first part of the story to me were both stories make a bit of sense. Nord says they discovered a configuration file with IP addresses that still worked.

If those were infrastructure IP's, and not otherwise public, that would certainly make more sense as to how Torguard believes Nord was responsible.

I know they used the timing like Black Friday as evidence that it was a competitor carrying out the attacks, but they have lots of competitors, so I was really confused as to how they settled on Nord as the attacker.


The NordVPN blog post leaves me with many questions.

1) Someone supposedly "gave" them the URL. They do not state how they found it, or how it was related to TorGuard. So who gave it to them? The Collective 7 hosting company? It appears Collective 7 was selling "Residential Solutions for VPN Providers":

http://web.archive.org/web/20171215024207/http://collectives...

2) Did they ask TorGuard to censor Youtuber "Tom spark reviews"? It seems he is critical of them: https://www.youtube.com/channel/UCXJWKuGh0qedrYviGEJmlWw

Tom Spark was also doxxed by the ProtonMail Reddit rep for posting videos they did not like: https://old.reddit.com/r/ProtonVPN/comments/96m5vc/is_it_tru...

Found the link here: https://medium.com/@gaetanosabin/did-nordvpn-and-protonmail-...

So it doesn't surprise me that NordVPN (Proton) wants this Youtube Streamer's videos and blog taken down.

Shouldn't NordVPN and Proton uphold user privacy and fight against internet censorship? They are doing the exact opposite here and that is very troubling.


NordVPN is good at spinning stories, but quite frankly they have been caught in too many lies to ever trust again [1].

[1] https://news.ycombinator.com/item?id=18609655


If you take two seconds to read the responses to that link, the claims made in the post are almost entirely baseless.


The OP here is a co-founder of PIA, and IIRC he was behind a lot of the ProtonVPN and NordVPN controversy that is being cited in the link he provided. So basically, he's providing proof that he created a year ago.


> So basically, he's providing proof that he created a year ago.

I was able fact-check his claims, since I am from the city where Tesonet is based, and found none of them to be completely false or baseless. It turned out to be an open secret in the local tech community[1].

[1] https://i0.wp.com/vpnscam.com/wp-content/uploads/2018/08/201...


From what I remember, that PDF was also created by the same guy and shared on several sites. ProtonVPN at least came forward with a chain of evidence for why there would be a connection, even a weak one, but I don't recall NordVPN saying much at the time. Still, the fact that the co-founder of a VPN company is trying to dig up dirt on other VPN companies doesn't make me trust his at all, it just seems shady.


> Still, the fact that the co-founder of a VPN company is trying to dig up dirt on other VPN companies doesn't make me trust his at all, it just seems shady.

I think it's a normal practice in every industry to try to find out who your competitors really are. Whether that information should be made public or not is a different question, but it doesn't make it inherently false. Instead of naively believing in carefully crafted rebuttals, people should try to verify the facts by themselves.


Their response is certainly better written and does have something about the ring of truth to it.

Even taking into account the insanity of legalese that lawsuit was... wordy, at best. Poorly organized and repetitive would also apply.


I always was a little sketched out by Torguard... much like how Wikileaks piggybacked on Wikipedia, the fact they put "Tor" in their name despite not being affiliated with Tor squicked me out a bit.


Note that Wikileaks was originally a wiki, though the name may have also intentionally echoed Wikimedia projects.


https://torguard.net/faq.php

Is TorGuard related in any way to the “tor” project?

Answer: No, The reference to "tor" in TorGuard relates to "torrents" and guarding one’s privacy when using bitorrent. We are not related in any way to the “tor” project however the company does support through donations.


Burying an entry in a FAQ does not change the fact people may not read said FAQ. Tor predates Torguard. It's perfectly possible people may be misled, especially since both are "privacy tools"


> On or about May 17, 2019 an unknown individual appeared unannounced at the personal residence of a TorGuard contractor, asking to speak with him about his relationship with TorGuard and the VPN industry

This whole thing sounds sketchy AF for NordVPN. While not technically illegal, just approaching a competitor's employee unsolicited at their home (!?) has red flags all over the place.


mind you telling about some privacy company that they have 'trade secrets' which should be exposed is a low blow under the belt... if you have some critical information for its users privacy, then share it... (being privacy advocates and a VPN service themselves.. it would be responsible.) with that in mind, it just sounds like someone with bad temper with too much responsibilities as usually these things turn out to be...


They never mentioned that the secrets revolved around user's privacy


> What kind of 'trade secret information' could a vpn provider be blackmailed with though?

According to TorGuard's blog post they stole information from an install script that was allegedly used at C7 hosting:

https://torguard.net/blog/when-bug-bounties-border-on-blackm...

An installer script could easily give an attacker insight into internal TorGuard IP addresses that would otherwise be hidden.

My guess is these internal IP addresses from whatever was stolen were targeted with DDOS.


> What kind of 'trade secret information' could a vpn provider be blackmailed with though?

That's easy. A VPN provider has access to all kinds of juicy information, such as who their customers are and what they are up to online.

They may have been compromised already, they may sell user data. There are all kinds of things that could be going on that would definitely be stuff they could be blackmailed with.

Whether any of that is the case remains to be seen.


They have definitely been compromised. You can buy lifetime accounts on the darknet for a dime a dozen with suspiciously not-real-person email addresses and passwords. Other VPN services and accounts for sale are much more expensive and you can usually tell at a glance that the credentials were stolen from a real user.

Edit: Perhaps the unimpeded sale of these "hacked" accounts leads indirectly/directly back to someone inside NordVPN? A dirty "trade secret" they wouldn't want revealed..? Seems farfetched but they have not proven themselves trustworthy in the past.


> What kind of information could you gleam as the owner of a 'service provider' for such a use?

They could find internal targets for DDOS to disrupt the competing VPN service so users get kicked off or can't login. If you can't use what you paid for most would ask to cancel.

Ddos attacks like this occur in any competitive space, but what bothers me here is the hosting company Collective seven appears to have betrayed a client's trust for competitive gain.

With such dishonest practices by hosting providers these days it makes me wonder what is really going on.


How come everyone seems to ignore a fact where torguards server config file was floating around on the internet? I just can't wrap my head about that. Is this lawsuit really an attempt to intimidate nord, so they don't disclose this vulnerability publicly? Wouldn't surprise me if so.


It's not a YouTube comment. It's my entire channel. They want me to remove NordVPN videos like this one: https://youtu.be/xxwvAjmNec8


The plot thickens..

I mean... How are you involved? Why would NordVPN allegedly blackmail TorGuard to get you to stop posting negative things? What leverage does TorGuard have over you?


It’s not uncommon for ISPs to voluntarily tap and sell traffic data to government agencies - perhaps this is another case of that.


Hey guys, Tom Spark here. I'm the video content creator that caused this whole thing. NordVPN hates my channel since I critique and criticize them a lot. They want to censor my channel to remove the bad reviews and so forth (ironic from a VPN company that is suppose to prevent censorship no?). To date, NordVPN is one of the lowest rated VPNs on my VPN tier list at http://vpntierlist.com/.

They are also in the news a lot for various things and I make sure to cover it whereas other VPN affiliates don't (most VPN affiliates are aligned with 100% based comission VPNs like Nord).

I summarized the entire story with 3 videos if anyone wants the full story. Or the latest take on Nord's blog post here (which I believe to be complete bull) :https://www.youtube.com/watch?v=icD3Bva7xtY


I'm not directly accusing you of anything, but you sort of come across as a shill or extreme fanboy of TorGuard. How can you give them 5s across the board?

-Speed: During my testing with PIA and TorGuard, PIA was consistently 50% faster.

-App: The TorGuard app is lacking in features and poorly designed.

-Price: It's substantially more expensive than most providers.

-Reputation: They've had not too great a reputation for a while now

I do not believe that you are an objective party here.


Yeah, to still give them 5 stars for reputation after this whole lawsuit fiasco, is absurd. The apps are mediocre at best, rated just 3.1/5: https://itunes.apple.com/us/app/torguard-anonymous-vpn-servi..., so if nothing else his app score is clear evidence of him being impartial.

According to comments on his review they've also added Google trackers/capchas to their login page, something you wouldn't see on a reputable provider.


?


Yeah, everyone who disputes your dubious paid endorsement of TorGuard as perfect/"GOD-tier", despite undisputable evidence to the contrary like having mediocrely rated apps, is obviously shilling for their competitors.

Give me a break...


FACT: Tom Spark is a TorGuard shill. Affiliate #4374.



Speed - PIA has always been a fast competitor to TorGuard. However, TG is extremely fast for torrenting, like REALLY fast. Test it yourself, or watch my videos.

App - The app's design is fine, a bit old school, but easy to use and updated within the last year. It also has a ton of security features (app + network switch), streaming IP integration, and the list goes on.

Price - It's the same price as PIA now, and with my discount code "tomspark" which isn't unique really, since TG has thousands of 50% off codes floating around, its $5 a month compared to $10 a month with PIA...

Reputation - TG's reputation has been flawless. They don't make any false claims and are honest about their jurisdiction, as well as a no logs policy.This is why so many VPNs try to buy them out (as claimed in the TG lawsuit document)..The fact they are sueing another VPN for blackmailing them is a good thing IMO. They are showing some balls. The fact so many VPNs are trying to DDOS TorGuard as well, shows they are doing something right.

So yes, I am an objective party. I have been reviewing VPNs since 2015, and have re-reviewed more than 20+ VPNs this year alone.

Not to mention TorGuard only has an affiliate commission rate of 30% which makes it lower than most any other VPN in the industry (proving that I am not a sellout like other reviewers).


A video of yours that I just watched that attempts to show the "REALLY fast" torrenting speeds shows ubuntu 18.10 downloading at 11.2 MB/s (so ~90 Mb/s) with 2200 seeds (and 98 connected). Is this what I am supposed to be seeing? Is there another video I should watch? I haven't tested with the same file, but I routinely break 150 Mb/s while torrenting through PIA.

In regards to price, no one in their right mind should pay for a VPN monthly.


Good job neglecting everything else I mentioned. TorGuard is still 30$ a year which is vastly cheaper than PIA which doesnt offer discount codes. And no I'm referencing the current 2019 speeds comparing both reviews.


If you pay bi-yearly, PIA is ~$40. A bit more, but it's still faster and has better apps.


False. $268.65 3 months free3 + $83.87 per two years.

PIA is $84 for two years.


Is there some legitimate reason that you don't understand, and can't communicate, PIA's pricing structure? I'm a customer of theirs, and you seem to have a huge axe to grind.


That video raised quite a few red flags with me and don't think that was a good coverage of this controversy.

For one thing, I don't think nordvpn would care about the 5k bug bounty.

From reading https://restoreprivacy.com/torguard-nordvpn-lawsuit-blackmai... it seems like there are quite a few serious allegations that are so absolutely ridiculous that it has to be nonsense or so ridiculous they're likely to be true.

Also, suing the wrong company is a big oversight. That's really sloppy work and doesn't inspire a lot of confidence.


They confused two companies in Toronto that are both caused C7. It's an easy mistake to make, and one that was corrected in just a few days.

You just posted a link to a blog that rates NordVPN as it's #2 rated VPN, and hasn't even reviewed TorGuard yet, so that source is not credible at all.


> hasn't even reviewed TorGuard yet, so that source is not credible at all

We're not comparing service quality so I don't understand what them not having reviewed TorGuard has to do with anything.

FWIW, I think the link posted was clearer and fairly objective.

I 'll also add that the other video you made: https://www.youtube.com/watch?v=lwHssMNEWMg is more useful because it addresses some questions I had like why NordVPN would think to remove your video through TorGuard and if they had reached out to you directly.

All in all, very strange situation and I am interested to see how this pans out.


It's relevant because RestorePrivacy has a clear bias against TorGuard since it's based within the US. Sven Taylor hasn't reviewed TG yet on purpose, and the fact he mentions 4 year old "VPN.AC" stuff agaisnt TorGuard in the article, just goes to show the article isn't just a news piece but it's obvious he's taking sides. He fails to mention several important bits of information on Nord's response I covered in my video..

News has to be objective. He doesn't mention how A) NordVPN was given a file instead of the file being given to TorGuard first which is extremely weird, B) NordVPN does not mention showing up to TG's house C) Why would NordVPN help TG fix a bug when the two companies have been butting heads for years now? D) NordVPN admits in the blog post that they started the conversation in hope TG would stop "defaming them" which is basically an insinuation of blackmail. E) NordVPN has not denied any actual relationship to Collective Seven yet. I could continue down the alphabet, but you get the picture (watch my video on it).


Oh look it's Tom Spark - TorGuard Affiliate Number: #4374

You're not biased at all are you Mr. TorGuard Affiliate?

Mr. TorGuard Affiliate that lists only one VPN (TorGuard) on his website as "God Tier", what a joke.


Here, watch this you troll: https://youtu.be/ppbZ3tFQ1ts


Troll? Nah, I'm stating a fact. You're a TorGuard affiliate, your affiliate ID is #4374 and you try to hide the fact by using bit.ly links to mask your affiliate number.



NordVPN is by far the shittiest VPN service I have ever used. They billed me twice, two months in a row, and getting them to fix it was like pulling teeth. This is not to mention the hard time I had actually using the service, between random inability to connect and outages.

They have ISP-level arrogance, without the lock-in. I have no idea how they're still in business.

So I'd be very inclined towards believing this story.


> I have no idea how they're still in business.

I imagine it's good marketing. They sponsor a lot of Youtube videos.


Pretty much every VPN service does. Every tech youtuber has one VPN service advertising with them. Along with cutting prices for viewers who use those links. I have to think it's a fairly solid sales model. The viewers would also line up with their best selling demographics.


Interesting, I have had the exact opposite experience personally. I have used the customer service in the past to fix a problem I caused (payment related), and they were prompt and helpful. Not only that but I get the best speeds (300 Mbps) from them over any other VPN I have used, and my connection is rock solid.

This story doesn't make me happy with NordVPN or TordGuard as a service however.


To provide a different perspective from that of kadoban, NordVPN is by far the best VPN I've used, and I've tried most of them (got to make use of those free trials). I had one issue with billing which was cleared up the same day, can't think of a time I've had a noticeable outage, and the UI is one of the best ones I've used. No, I don't work for them...

Reading NordVPN's side of the story, I wouldn't be inclined to believe either story until the truth has been pulled apart in court. [1]

[1] https://nordvpn.com/blog/torguard-lawsuit/


No idea what's up and down in the actual case, but I can, anecdotally, counter your experience with a wholly positive one from the other side of the fence:

I have a TorGuard account, and I use the VPN an awful lot - it's the default connection on the machine I'm currently writing on. Been using for a couple of years, and never once have I seen trouble or even inconvenience, save the obstacles a few sites choose to set up based an ip address. Nor with billing. They mail me an invoice. I pay. Stuff just works.


Can anyone recommend another VPN provider, than Nord or Torguard? Main use case is for using public WiFi when travelling.


>Main use case is for using public WiFi when travelling

Your own VPN is the correct answer. If you have a fast enough symmetric link at home then just run a small machine there (or your router/sec appliance may support it) or else get a ~$5 VPS from OVH/DigitalOcean/Scaleway/Amazon/Google/MS or whomever you like and run WireGuard on it. Or if you want something more turnkey with IKEv2 support (if you have devices that can't use WG) then check out Algo [1].

But there is likely no need for or reason to use a "VPN provider" if all you're looking to do is shift your virtual entry point to the internet from the edge, and lots of good reasons not to. The only real exception would be if latency is a major concern, you travel very widely and don't want to deal with any extra hassle setting up a solution to move between regions. In that case might be worth keeping an eye on CloudFlare's "Warp" solution [2], which will probably be about as good as it gets in that regard since they've got infrastructure worldwide and will be able to route well.

But I'd definitely suggest checking out running WG (alone of via Algo) yourself. It really is straight forward.

----

1: https://github.com/trailofbits/algo

2: https://blog.cloudflare.com/1111-warp-better-vpn/


One of my main use cases for a VPN is appearing from different countries. I also anonymize my traffic. If I own the VPS, that traffic can be tracked to my quite easily. I use a VPN for these things a couple times a week. I can (and do) use my own VPN just to secure my traffic on untrusted networks, but there's more to it that just that.


Private Internet Access. Besides providing great service, they sponsor a lot of free and open source software and services, like Freenode IRC.


Note that this post was submitted to HN by a co-founder of PIA, and they've been known to stir the pot a bit in the past. Last year they put out a few accusations against NordVPN and ProtonVPN that were very weakly supported.


He's also (honestly) the crown prince of Korea , which is kind of crazy to think about.


I've used PIA for years. The only other one that I've used is Air VPN. They seem pretty legit.


I would recommend my own company, based in the Netherlands: WifiMask.com.

A VPN with a focus on WiFi protection. MacOS and iOS only for now, I'm working on Android and Windows too. Send me an email for a test account if you'd like to try it out: support@wifimask.com


Mullvad was alright. Didn't ask me any questions other than payment information.


For non do it your self I would use freedome by f secure, which is a reputable security company with a long history.

For do it yourself the best option is algo.


in this day and age: just buy a data plan sim card! it will be safer, more pratical and cheaper.

even if you have to splurge in one country or another with bad monopoly cases (e.g. visiting the usa) it's still better than using a combination of open wifi + shady vpn (all of them)


That's interesting, I too, have had the exact opposite experience. After having tried multiple VPN providers I settled for NordVPN because it gave me the most consistent speed.


> Collective 7 is a Canadian hosting company [...] now owned or controlled by NordVPN. [...]

> NordVPN threatened to release TorGuard’s confidential and trade secret information that was obtained by NordVPN from Collective 7— who, in turn, obtained this information during the time TorGuard utilized Collective 7 as a service provider. NordVPN threatened to release this information unless TorGuard forced or coerced a third party into silence, as this third party was publishing legitimate criticisms of issues associated with NordVPN’s business practices.

If true this reflects very poorly on NordVPN. How much criticism did they manage to suppress successfully until someone sued for blackmail?


NordVPN has been known to suppress a lot of information about themselves - even the country in which they operate.

Given C7 is involved as well I’m very confident it’s true.


And they are closely aligned with other vpn providers that all leveraged micfo (as is stated in this complaint).


C7’s owner is involved with quite a few VPN companies.


> If true this reflects very poorly on NordVPN. How much criticism did they manage to suppress successfully until someone sued for blackmail?

NordVPN has sent legal threats to many Youtubers and bloggers anytime they don't like what's written.

NordVPN and ProtonVPN are enemies of free speech and open internet.



"It all started when we received information that led us to finding a TorGuard server configuration file lying in the open on the internet... We hoped that after providing this vital assistance towards securing TorGuard’s infrastructure, they would also cease with their illegal defamation campaign."

So nord is shitty for digging up dirt on torguard because they were mean to them online and torguard is shitty for having these vulnerabilities in the first place. Are there any vpn services run by a company that is neither slimy nor incompetent?


Try mullvad.net.

A bunch of hackers in Sweden. You can pay without exposing any information about yourself and they support wireguard (even help pay for and doing their own development on it).

I meet some of them personally on hacker conferences as well and they knew what they were talking about.


I would second for Mullvad too.

It's been the only VPN provider that has ticked all my boxes.


To be fair this kind of vulnerability is kinda common. All it takes is some AWS bucket to be left public. Surely you've seen it on HN for years? MongoDB for company X found with no password, government AWS bucket left public, etc.

That said it would be a feasible yet simple story to fabricate. The details aren't that important, just saying "we found a file with ip addresses that had services open with no password" is plausible but also not that specific.

Seems like all they need to do is publish their communication now that the vulnerability has been fixed?


Well, it make it quite clear what 'trade secret' TorGuard was blackmailed about then.


This whole drama (not of the highest quality) should be a big warning for all those naive people (trying hard not to call names) who seem to not completely understand the HUGE trust threats that _all_ VPN services entail. VPN services are black boxes. You have absolutely no idea what they doing in their black boxes despite all their claims. A nice post that sums everything up: https://schub.io/blog/2019/04/08/very-precarious-narrative.h...


100% concur to your opinion.

Anecdata, but from couple stories from people who worked/interviewed at VPN providers - I believe that in couple years we'll start see same horror stories of private data issues, like we are having with social network and internet ad businesses today.

EDIT: apparently my anecdata is not anecdotal [0]. When it's race to the bottom for consumer pricing - your bandwith is resold (or at least there's capability to do that) for botnet purposes.

[0] https://restoreprivacy.com/lawsuit-names-nordvpn-tesonet/


I'm sure we will, there have already been cases where claims about not keeping logs turned to be plain lies, sure why some wouldn't share their user's habits for further "analysis" for extra profit upon subscriptions.

The plain fact is that you don't know what they are doing, it's impossible to know.

If they ever find a way for an introspective verification/validation of configurations coupled with the connection itself (or whatever mumbo jumbo), then we can talk again about middle-men's trust.


With these VPN services having become a race to the bottom, it's not all that unsurprising that stuff like this happens.


I think the race to the bottom already has many providers in fistfights at the finish line.

For example, when I tried Kodi (as a non-piracy living room media box starting point) a couple years ago, one of the reasons I gave up on it was that it seemed almost every Web search for technical questions would be filled with hits for VPN affiliate pitches. I also found forums, such as on reddit, filled with shilling, drama, and intrigue about VPNs, including some prominent ones. Then there was the related scandal of Facebook targeting children with a "VPN" surveillance channel, and there's really no assurance that many VPN providers aren't doing a similar thing.

I suspect there are some legitimate VPNs, but I decided I actually trust free Tor more than any random VPN, for some casual degree of protection against snooping open WiFi and ISP.


From NordVPN response:

> It all started when we received information that led us to finding a TorGuard server configuration file lying in the open on the internet.

It's highly doubtful that's some random person will send some security vulnerabilities about a company to another unrelated company. It's more probable that NordVPN had its own team trying to hack or at least test Torguard defenses. That makes the DDoS allegations more believable.


> It's highly doubtful that's some random person will send some security vulnerabilities about a company to another unrelated company.

When I had a small web-crawling/automation business we'd get quite few emails like that oferring all sorts of datasets and security holes for sale. We never responded (people already have a hate boner for web-crawlers lol).

Maybe someone with more gray/black hat infosec knowledge could comment on plausability on this but honestly I wouldn't underestimate black hat sales skills :)


NordVPN is one of the ugliest in the on its own shady VPN business. They did their best to slowly make the Tesonet scandal slide away. Here on HN some users provided extensive insights about their connections with the Lithuanian data mining company and convincingly demonstrated that NordVPN must be the most evil VPN honeypot and deceiver.


Can you tell more about what is the "Tesonet scandal"?

I've heard such shady stuff about NordVPN that I would never trust them with their data, also would never trust any other VPN provider.

EDIT: I thing I've found it:

https://restoreprivacy.com/lawsuit-names-nordvpn-tesonet/

https://news.ycombinator.com/item?id=17258203

I was informed before not to use NordVPN for their (anecdotal) shady practices, but the fact that ProtonMail is in this crap too - I do not know who to trust anymore when I am buying "privacy" online.


ProtonMail is not involved and the story is really bogus. Proton happens to have an office in Lithuania (one of 6 globally) and was dragged in as a result, but otherwise there is no real connection as explained here: https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...

ProtonVPN in particular has been vetted by third parties such as Mozilla, and is operated very transparently as outlined here: https://protonvpn.com/blog/is-protonvpn-trustworthy/

The location of Proton offices for example, has always been publicly disclosed, the directors of the Swiss parent company Proton Technologies AG, and the company's CERN roots, etc, are all in public record.


I used to be one using and praising ProtonMail, but after the Tesonet scandal turned me around. The worst evidence for me was their responses, how they were constantly calling it a "smear campaign by PIA", often not providing any plausible explanations. Duh, PIA published it and put work into raising public awareness. They are competitors, they found your dirty laundry and published it, duuuuh. Whoever discovered it, doesn't matter, they couldn't respond to the actual facts, only repeating the annoying combination of words "smear campaign". I don't trust a single VPN provider and would rather trust my exit point to my ISP which is regulated by local laws, rather then trusting it to god know whom god knows where. I would be happy to see the issues of Tesonet and their links to NordVPN and ProtonMail/VPN raised again!


Not sure if you saw it, but Proton published a response here: https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...

The fact that hundreds of Twitter bots were used to spread the allegations is rather strong evidence that there was indeed a smear campaign. Details about this here: https://protonvpn.com/blog/is-protonvpn-trustworthy/


Just a friendly reminder to the world that NordVPN is also the one that lies about being based in Panama :).


Source? I can't find anything about them not being based there at all.

EDIT: After some brief hunting I found a HN comment with some scattered information about them possibly being based in Lithuania [1]. Not sure what to think about that personally.

[1] https://news.ycombinator.com/item?id=18609655


Where are they based?


Likely, in Lithuania, where they are subject to data retention laws, which means they are obliged to keep data for 6 month. I can suggest to search for "NordVPN Tesonet", the scandal that happened a year ago or so. The data mining possibility is horrible on its own, but Reddit and Hacker News users have discovered much more on the way. Everything is already said and exposed, hard to believe how much influence in general media they have that they could bury the whole story.


Maybe off topic, but if anyone from NordVPN is reading this: for the love of god fix your iOS and OS X clients, so they don't log out randomly. I can't even begin to describe how frustrating that is.


I'm getting a TLS error from this link. Is it for everyone or just me?


The site's certificate chains up to the DigiCert High Assurance EV Root CA. See https://www.ssllabs.com/ssltest/analyze.html?d=torguard.net&...

If you are having an issue, it would be worth stating:

• Do you have the above-mentioned CA in your trust store?

• What OS/browser are you using?

• Are you using any middle service, be it local (like virus scanning) or network-level (like a middlebox/proxy)?


Are you using NordVPN? /s


I get that same issue.


Can you explain what exactly the issue is? Where is the certificate chain breaking?


Are you behind a proxy that does certificate interception ?


It's working fine on my end.


It’s working fine for me.


it works for me (Firefox, Windows 10)


are you using opendns?


So pretty much NordVPN pokes TorGuard into suing and now... NordVPN gets to put TorGuard in a body bag and call it a day as they've always wanted. Mission Accomplished.


>$75,000

Wouldn't this only just barely cover court/lawyer costs?


That's the minimum to make it a Federal lawsuit. The damages, if any, would be determined later.


Why even use NordVPN when you can have AirVPN. Better in all ways...


PIA has been caught orchestrating smearing campaign against nord in the past. It's funny to see how pias employee is all over this thread again, trying to undermine a competitor. Are you a messenger now for torguard now also?


What exactly is the "confidential and trade secret information" about?


Seems that there were some massive security vulnerabilities that NordVPN found. [1] I'm very interested in seeing how this court case works out, as at this point I don't know who to believe.

[1] https://nordvpn.com/blog/torguard-lawsuit/


https://nordvpn.com/blog/torguard-lawsuit/

Apparently its a torguard-vulnerability. To tag a vulnerability as 'trade secret', and the fact that the disclosure process involved threats (allegedly) is a very bad reflection on both of them. Why should I trust either of them to handle security vulnerabilities responsibly in the future?


"confidential and trade secret information" appears to reference a stolen install script:

https://torguard.net/blog/when-bug-bounties-border-on-blackm...


I guess thats a secret.


You can clearly see that TG include stuff about Nord that aint related to the lawsuit, nor to the court itself, and thats clearly why - to make Nord look bad guys in this scenario, while all the claims sounds like bs. Torguard hasn’t even filled in the correct company name when they filed the suit first, which speaks for itself on how professional they are. Anyhow, how is that Nord the bad guy now and everyone forgets the fact that they just wanted to let torguard know about their own vulnerability to fix?


And how do you know the Micfo IP fraud is not related to NordVPN? They were using them extensively.

Collective Seven (C7) is related to a very long list of VPNs, including Nord, yet NordVPN has denied knowing them.

> Anyhow, how is that Nord the bad guy now and everyone forgets the fact that they just wanted to let torguard know about their own vulnerability to fix?

It looks bad because they tried to force censorship in exchange for a non vulnerability. Torguard has a bounty program but instead Nord sent someone to the Torguard employee's house and tried to intimidate them into silencing a Youtuber.

It appears Nord knew what they had was not a vulnerability but still wanted use it as leverage for taking down the Youtuber's videos. This is censorship at it's worst.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: