Hacker News new | past | comments | ask | show | jobs | submit login
PIA VPN to be acquired by malware company founded by former Israeli spy (telegra.ph)
1000 points by ArcVRArthur 5 days ago | hide | past | web | favorite | 357 comments





This article and articles like this miscast Kape in an incorrect light. To be clear, in the past the company was known as CrossRider and provided a developer SDK that could be used to integrate with browsers. Unfortunately, CrossRider didn't do enough to prevent malware (like platforms these days and their fake news) and the platform was used by some bad people for bad purposes.

When the new management team of CrossRider took over, they immediately ceased to engage in the previous business and focused on the opposite due to the insights they gained watching nefarious developers abuse their platform. With the focus on security and privacy, they changed their name to Kape and further the new company will be called Private Internet as it will be purely focused on privacy.

The merger between Kape and PIA affords PIA the resources needed to bring privacy to the mainstream. The company can now be decentrally owned by the people, and public reporting requirements are much stronger than those for private companies. Couple this with a new random audit program we are going to launch and its as transparent as it gets, and it's exactly the direction we at PIA want to go, where our users no longer need to just trust us, instead our actions are and will continue to be verified.

Ultimately, the choice of VPN is yours, but transparency is verification and with most VPN companies being incredibly secretive about their operations, who is behind it, and where they are located, what they do with their funds, etc. I stand behind the move to bring more transparency to privacy.

The company has always practiced sustainable karma - wherein we do what's best for the people/what people want, and that allows us to make a living doing what we love; that's not going to change.

Sincerely, Andrew - Co Founder PIA


Trust and ethics are important. A company that is identified as using questionable ethics in business, for an extended period, is not automatically "reset to neutral" by airdropping in a new management team and a rebrand. Honestly? That sounds more like a move to bury the bad news, which has a long and effective history, just as the day a story goes public does - The Friday News Dump, Thanksgiving News Dump, etc. So, for this PIA user, Kape are in significant negative territory that needs making up to even hit neutral again.

Transparency is verification, but it is critical you like what you see. With the newly formed Kape link, owned by Teddy Sagi with extensive links to other online advertising companies, mobile advertising and online gambling. Nothing good for humanity is done by his investments. No, don't like what I see at all. With the reputation PIA had I'm actually really surprised you chose to be associated with such a stable as Sagi's.

My sub is due for renewal shortly into the New Year. It won't be.


This is exactly my rationale. The fact that you have to explain that the company that bought you is not shady is writing on the wall, even if you have a good explanation. For the record, I think the explanation is pretty decent. But PIA is a commodity product from a technical perspective. It's the trust and reputation that's not the commodity, and being bought by a shady company (even if it's "formerly shady") you discard this right away.

I bought PIA because it had stellar reputation back in 2015 or so. Now it went from stellar reputation to "just another VPN provider". Mullvad appears to be prime candidate now, they're not based in the US if that means something to you, and they even have Wireguard to play with. Let's go.


Trust is a fleeting concept. If you used PIA only for the trust and not for the verifiable transparency, then we have failed you.

You can't trust some random VPN on internet. Anyone could have set it up.

You can only verify. Don't trust. PIA will continue on its mission to increase transparency and set a new standard and expectation in the industry.

With PIA, we will make sure you know what you're getting. Some may choose not to go with PIA, and that is beautiful freedom. For the rest, I'm confident people will choose verifiable transparency over blind trust.


How do you propose we verify the transparency? I legitimately have no idea how I can verify what specifically is running on your servers.

It seems to me that the entire VPN industry has a huge inherent information asymmetry since it is incredibly difficult for an end consumer to confirm any claims a provider makes about the quality of their product. Economic theory tells us that results in a market for lemons [1]. We just end up with a bunch of low price and low quality products provided by shady companies because it simply isn't cost effective to compete against those options with a quality product whose quality can't be verified. For a technically savvy end user, you are probably better off rolling your own VPN with open source software you compile yourself rather than trusting any of these black box VPN providers.

[1] - https://en.wikipedia.org/wiki/The_Market_for_Lemons


Transparency is not verifiable, just as it's impossible to prove the non-existence of something.

PIA could appear to be 100% transparent while secretly creating and backing up logs, or passing them through a third-party. An auditor is less likely to be fooled, of course.

The bottom line is that it's reasonable for us to choose our VPN based on both transparency and trust, and we have no reason to trust the new owners.


Much like a conflict of interest, appearance of mistrust is akin to mistrust. You are associating with groups that have demonstrated minimal trust and ethics and allowed abuse of their platform. Worse than that, you are passing you business, product, and any existing or future data to a mistrusted group. I won't be part of that transition.

You intentionally placed your product in the hands of this group knocking your own reputation down several pegs below competitors if not out of the picture entirely. Lip service won't win me back.


And what, practically, does this verifiable transparency look like? What stops it from being just another _unverifiable_ promise on the internet?

if you are really all about transparency then would you like to explain why someone from your company was caught red handed trying to smear other VPN providers?

https://i.imgur.com/xg52ous.jpg

https://www.reddit.com/r/sevengali/comments/9dgexs/why_to_av...


Speaking for myself, you have indeed failed me. Before I read your comment, I had now idea that PIA offered "verifiable transparency". I still do not know what you mean by that phrase and how I as a mere user can even begin to verify your transparency.

I did use PIA for the trust, I lost that trust and I will therefore stop using PIA.


The PIA clients are closed source, and can't be verified. (They also run as root....)

You can manually set up the VPN connection with the OpenVPN client, NetworkManager, etc etc

> You can only verify.

What are you talking about? Verify what?


I honestly want to agree with HN on this, but then Im reminded of the constant support for Apple on here, despite the fact that they have violated user trust on numerous occasions, while PIA has not.

So I did some checking:

* Teddy Sagi is a entrepreneur. To say that he is an ex spy is a gross misstatement. Yes, he worked as a developer in Israeli SIGINT program - so do a lot of developers who work for any number of government contractors in US with security clearances working in SIGINT. Does that make them all spies? If you wanna believe in the conspiracy that all the Unit 8200 graduates who have gone on to found Silicon Valley Companies are still state sponsored, then man, you gotta start boycotting all your popular software (and some hardware), cause Apple, Microsoft, Oracle, and Facebook all have a hand in buying these startups.

* Crossmark, the company that Kape originaly was, had malware which is the equivalent of ad supported app on your mobile device - it was bundled with some software (much like Oracle used to bundle Adware with the Java installer), and injected browser traffic, while sending user information back, perhaps for better targeting This is a far cry from actual nefarious malware. Bad? Yes.

* Kape technologies is under the lead of a new CEO that was responsible for transforming the company away from Crossrider towards cybersecurity. Again, if you want to believe in a conspiracy theory, that is your choice.

* All other Teddys ventures since Kape are in the advertising space. There is a concern that can be made that perhaps advertising is going to sneak in to PIA, but lets cross that bridge if it actually happens.

TLDR, pretty much the expected overblown response, which is sadly becoming the standard for HN. By all means, vote with your wallet, but try to keep your voting consistent. Personally, given the web of investors and ownership that surrounds modern tech companies, I do not see any glaring red flags here.


I make no mention of Sagi's background, just his investment choices. Those alone are enough to question the wisdom of supporting any of the businesses with my actual money. Yes, let's have some honesty.

He's invested in : Founding Playtech an online gambling outfit, a credit card clearing company for online gambling, Kape, Stucco Media - Search engine marketing, and several mobile advertising companies. Not a list many would associate with either ethics or privacy. Not a list I want to give money to or see succeed. All businesses built on erosion of privacy. Colour me unconvinced seeing a privacy oriented company joining that particular stable.

CrossRider was nothing like you imply. It was a BHO platform that injected a dll into the browser to allow easier peddling of malware and adware. Why not mention adware? Let's ignore the malware smokescreen you're trying to launch, with them as innocent victim. A platform putting injected adware on my fucking computer is more than enough. Every anti virus and anti malware platform I'm aware of identified CrossRider as a problem, or flagged its shite as "unwanted program".

Not liking that they now have a plan b that is not in an injected adware platform is not "a conspiracy theory". It's simple track record. Given what their first plan did, and how, it'll take considerable effort over considerable time for me to even consider them neutral. They may never reach neutral or "trustworthy" again.

No all his other ventures aren't in advertising. They are in advertising and gambling - funny you don't mention gambling - that, for me, is more than enough for choosing a business to rely on for trust and privacy. I don't want to support those sectors. I don't actually want them to exist. I don't actually trust anyone in the SEO, advertising or gambling industries at all, from Google and Ladbrokes down. As they keep doing the opposite of the ethical thing, consistently and repeatedly.

If PIA, who have built a decent and (as far as I can see) well deserved reputation, want to hitch their future to that. Well it's their disappointing free choice. My money goes elsewhere.


Online gambling is not in any way built on eroding privacy. You are free to not like how the industry knowingly makes money of off addicts (no, no matter how much they say they care about responsible gambling they will not stop problem gamblers more than necessary to comply with the law), but in my opinion that is the only ethics problem online gambling has that most other industries do not also share.

Start here (from Simon Davies, the founder of Privacy International): http://www.privacysurgeon.org/blog/incision/how-the-online-g...

They are as bad as, and often indistinguishable from, the least salubrious corners of online advertising in their tracking and data gathering. Unfortunately their determination to keep feeding off addicts and keep tracking the whales is what has driven their data abuses. Responsible gambling is 99.9% greenwashing. :)


As someone who has worked in the online gambling industry I can say that this article is very outdated and on some points misinformed. Things have changed a lot since 2010, and he is wrong even about how things worked back then.

> It is routine for sites to demand the transmission of passport and credit card scans, drivers licenses, utility bills and other personal documents. All the available evidence indicates that this information is stored permanently.

Only due to the regulating authorities demanding this to prevent money laundering. Collecting and storing this information is just a huge headache to the gambling companies. I know some small companies do it improperly, but if they could chose themselves they would not have stored it at all. I have never heard of any company using this KYC documents for anything other than storing them for possible police investigations.

> As a rule, they don’t. It is extremely difficult to close an online gambling account, and in my experience impossible to have your data deleted.

This kind of BS with making it hard to close accounts was an issue and has been cracked down on. These days it is very easy to permanently close a gambling account if it is Malta or UK regulated at least. If it is not then you can report them and they can get large fines. It is impossible to get your data deleted though since the casino must keep it for anti-money laundering for a long time. Here I do not know how many actually delete anything once their legal time is up.

> [and] fail to notify customers that personal data will be retained permanently even after an arduous process of account closure.”

Yeah, I think the sites should be more clear about this. But I do not know of any industry which does this well.

Edit: About tracking the whales. No, that is not related to any data abuses as far as I can think of. It would actually be better (from a greedy and selfish point of view) for us if we could delete the gambler's data when they delete their account because then they can register a new account and lose all their money again and we could say we have fulfilled our responsible gambling obligations because there was no way we could correlate the new account with the deleted. Tracking whales is usually mostly done with quite simple BI queries and VIP teams doing work manually.

I am not saying data abuses do not happen in the industry, but it is certainly not built around them or close to as bad as e.g. adtech. Actually ordinary online stores seem often to be worse than casinos when it comes to privacy which probably says more about our current society than about casinos.


What you're forgetting to mention is that none of the "improvements" is due to the industry itself. ALL of it has come from government regulation and threats from legislators to ban online gambling unless the casinos clean up their act.

While this fact surely deserves to be mentioned, I think plenty of companies make good PR off complying with legally mandated measures. Doing something good is doing something good, even if you don't want to do it.

Kinda yes, kinda no. While the user account locking and several other things only happened due to regulators there are other similar issues which the industry fixed itself (e.g. intentionally delaying withdrawals which regulators did not give a fuck about but after one company offered it everyone had to) and reducing the number of sensitive documents necessary to collect (the regulators do not give a fuck about user privacy).

>Only due to the regulating authorities demanding this to prevent money laundering

Authorities demand tracking/ID info for users because the industry declines to make laundering impossible on their platforms.


How would you make money laundering impossible? If we could we would. Money launders are shitty customers who mostly just rack up tons of transaction fees for us which their losses just barely pay for.

I don't know, I'm not in the profession. Maybe start from first principles?

> To say that he is an ex spy is a gross misstatement. Yes, he worked as a developer in Israeli SIGINT program

This makes him an ex-spy. There's no prejudice or judgement in saying so, it's simply true.


There's a podcast called Darknet Diaries with an episode about this program[1], where the host interviews an ex-member. It's all very interesting, but there's one part in particular where he talks about the reunions that some ex-members regularly attend. It raises questions since many of these people are working in important positions at major corporations that compete with each other and compete with Israeli companies and companies founded by other members of their unit.

It wouldn't be fair to assume any collusion is going on of course, but considering their past in espionage and the military, it's at least worth mentioning.

[1]: https://darknetdiaries.com/episode/28/


Are people exaggerating? Sure.

But is there more reason to think that their data isn't safe with PIA now than before the merger? Definitely.


> you gotta start boycotting all your popular software (and some hardware), cause Apple, Microsoft, Oracle, and Facebook all have a hand in buying these startups.

You make this sort of action sound out of reach/unreasonable.


Nice comments.

When Trump became president, was it still Obama’s administration?

Given my knowledge on corporate governance and publicly held companies, I disagree with your first statement. The CEO and management team are absolutely the ones who define the ethics of a company and are legally responsible as well.

As for Teddy, I’m not sure how knowing his background and being able to public verify his moves would cause less trust then, for example, the other VPNS which you have no idea who owns them or even where they are located. Transparency builds trust in real life and there is nothing but transparency here. This isn’t a blind faith.

PIA has never logged nor has KAPE. Checkout the other providers and see what they have done. It’s gross.

Regardless of your decision and your comments, I appreciate your contribution to the discussion.

While I disagree with some of the statements in the thread overall, I recognize that PIA can do more to provide more comfort to people. Unfortunately, I don’t believe in blind trust and theater so all we can do is continue to increase our transparency until there is no need for you to trust us.

And to Zero Trust we are headed.

Happy New Year and thank you for the opportunity to protect you until now. I trust we did a good job, and one day, I hope we will have created an ecosystem that doesn’t rely so much on trust in the future so that you might return and we can serve you again.

Best, Andrew


It seems that you are redefining the word "trust" here. I would agree that transparency in a VPN is very important, but surely you have to realize that any time a consumer such as myself is utilizing the services of any third party company, whether it's a traditional software provider, a commercial VPN, a SaaS vendor, etc., etc., there is a trust dynamic taking place. No matter how transparent PIA is about their no logging policy, for example, I have to trust that the PIA team is holding firm to that policy. Yes, that policy has been tested in the courtroom; but all that does is tell me that as of 2018 or whenever you were served you didn't log; it doesn't tell me anything about whether you logged my traffic last month. For that, I need to trust you, based on a multiplicity of factors, that you didn't. Prior court cases form part of that trust, and your outspoken no-logging policy, but your corporate structure is also factors in to whether I trust PIA.

It is also worth meditating on the fact that, unlike this very boring (from a legal and political perspective) user, undoubtedly there is a segment of your user base who are dissidents and journalists, for whom the privacy of their online activities truly is a matter of life and death.

Trust is like respect; it should be earned, not given freely. PIA had my trust. You have since eroded it. Not completely, but enough that I am shopping for another VPN. If you want me to sign up again, you must re-earn that trust.


> I recognize that PIA can do more to provide more comfort to people.

You could start by looking for a new CTO maybe? I mean, Mark Karpeles was such an obvious bad choice.


The irony. You were spreading FUD concerning ProtonVPN and their connections here on HN and Reddit. Now it is you who gets grilled. Karma is a bitch, isn't it?

> Transparency builds trust in real life and there is nothing but transparency here.

What transparency? I all see are unverifiable claims. Such claims actually make you more suspect imo.

> PIA has never logged nor has KAPE.

So you say.

> And to Zero Trust we are headed.

How is 'Zero Trust' in any way related to the issue of transparency you bring up?


> When Trump became president, was it still Obama’s administration?

The current president picks up where the previous one left off -- they don't start with a clean slate and no historical baggage.


This may be ancient history, but I believe this understates Crossrider's active role in the adware/malware that was being widely installed.

Per this research from Google and other academics [1][2], Crossrider was one of the largest "affiliates" of Superfish and other ad-injector malware.

To my understanding, Crossrider was essentially a distributor: they delivered installs, recruited advertisers, and brokered deals with software publishers, knowing that they would be adding malware/adware to the downloaded bundles that would persist on users' machines. And knowing that some users (most or all, really) didn't realize what was happening.

Rather than being a mere bystander, if the researchers are correct and per the HN thread below [3], Crossrider was an active--and essential--participant in the "Download Valley" ecosystem.

It may or may not be relevant to today's Kape, but we should at least be honest about what these guys were doing in the past. It was ugly. They weren't the only ones, but they were clearly not on the side of the angels. (Worse, YC funded one of their competitors called InstallMonetizer.)

[1] https://pdfs.semanticscholar.org/8914/94e6d2a9e96985ccca1c44...

[2] https://www.ieee-security.org/TC/SP2015/papers-archived/6949...

[3] https://news.ycombinator.com/item?id=9120593

(edit: spacing)


>It may or may not be relevant to today's Kape, but we should at least be honest about what these guys were doing in the past.

Yep, "consider the source." It's weird how people will strongly imply that reputation doesn't (or shouldn't) be a factor when the internet is involved, that even criminals should be able to fail upward.


Thank you for taking time to explain your position. I can appreciate the need for resources and why you think this deal is the right thing to do for your company. I've trusted you company enough to use it for years and buy a multi-year subscription. Unfortunately, given the track record of Kape, I can't trust the bundle of Kape+PIA the way I trusted PIA alone. Maybe in the following years this trust will be accumulated, but right now, due to Kape history, it's below zero, drugged down by Kape's past. I understand all about new management and stuff, but adware alone is a business shady enough that steering clear of it in matters like VPN seems to be a basic prudence. And when malware added to the mix... as I said, trust level becomes negative. Good luck in your future work, hopefully your new combined company will accumulate the trust again, but I'll be using some other solution for now.

If you think a platform is responsible for what their developers do with it, then I understand. However, Kape was never directly involved in adware other than providing SDKs that let developers create positive and negative things.

To say Kape was involved in adware would be akin to saying the Wright Bros killed millions of people - because they made planes which people used to kill people (which is simply untrue). Even the original article notes this ever so briefly so as not to show Kape positively.

Thank you for your trust until now, and given the long track record and relationship, I hope you can verify my statements as well.

Our future work will always be the same work we have been doing, so whether now or later, I'm confident we will re-earn your trust again, and hope you'll give us the opportunity.


Again, in the interests of historical accuracy, Crossrider did more than that. They actively provided monetization for traffic from installed apps.

I have in my email a post from longtime senior employee Yonatan Pesses to a LinkedIn group (then named "Downloadable Software Distribution & Monetization") for people working in the pay-per-install space. It is dated Dec 5, 2014, and it reads:

"Crossrider is offering an amazing monetization solution for your MAC traffic! Very easy implementation, with high user value!

Yonatan Pesses Crossrider"

I'd say that is pretty clearly more than just an SDK.

I also gather Pesses has recently left Kape: http://archive.is/QYtxD


That’s about as innocent as Megaupload was as a file sharing website.

Did CrossRider have any honest users? From the little I can find on the Internet it seems like a toolkit for building adware with little to no honest uses.

Small correction - I don't think building adware - as long as it's not hidden, not doing clickfraud, etc. - is necessarily dishonest. It's just not the business which you want to be owning your VPN. Just as cheap used car dealership is not necessarily dishonest, but that's probably not where you want to get your banking or medical service.

Sure, I agree with that correction.

I didn't do any development on CrossRider so my understanding is pretty limited here, but it looks like it was just an SDK to build cross-browser extensions which a bunch of developers used to place ads, and then CrossRider caught all the blame for it.

To me this sounds like if people used Ionic or React Native to make spammy crappy apps and then people blamed those frameworks respectively. It wouldn't make any sense. It's the fault of the app developers or the platforms which distribute the app (e.g. the app store)

Am I missing something here? Did CrossRider have a storefront which actively promoted adware extensions? I'm not able to find anything rationally explaining the amount of backlash and downvoting rasengan is getting.


See this comment: https://news.ycombinator.com/item?id=21681481

Also when I google CrossRider I find tons of mentions on malware tracking sites, including Microsoft's, but nothing else really. On the other hand if I would google React I do not think the majority of the results would be from anti-virus and anti-malware.


I think there's a difference between providing a generic SDK and providing specific targeted SDK. E.g. if you made libstdc++, nobody is going to blame you for every C++ program using it. But if you made specific malware with specific exploit for a specific vulnerability, and people use it to take over other systems, you may share the blame - even if you yourself never used it. In the latter case, you'd be known as "malware vendor" and your trust profile would be set accordingly. I think this is close to the case for Kape. They targeted specific market with specific product. Now, it's completely their right, nothing illegal, but as well it is my right to stay away from people who are into certain markets and certain business models.

Changing of ownership fundamentally resets the trust we all had in PIA, which was due to you having proven in court you deliver on what you declare.

And in the VPN world, trust is fundamental.

I am still surprised you didn't see this coming.


> And in the VPN world, trust is fundamental.

Why do you say this? Isn't it generally believed that most/all large VPN services are monitored specifically by the governments of the countries in which they operate?


Vodafone runs a large vpn, and I know from the people who sell them logging services they are obligated by the governments of multiple nations to keep url logs for a number of months that vary depending on the target's information retaining laws.

Mullvad on the other hand does not log anything at all (other than their Stripe payments where they try to keep data minimal). Is that in violation of the Swedish law? Maybe, but as long as one of the medium sized ISPs, Bahnhof, is still fighting the law in court I cannot foresee any court cases against small fry like Mullvad or any of the other Swedish VPN providers.

The difference is probably that Sweden isn't as privacy unfriendly as the USA, despite being part of the fourteen eyes programme.

I think it is more about us being culturally less friendly towards secret court orders, and with just handing over customers to the authorities without proper process. Does our sigint operations monitor Mullvad's exit and entry nodes in Sweden? Maybe, but I do not think Swedish authorities will be able to force Mullvad's staff to silently add a backdoor. I mean they have not yet managed to get Bahnhof to comply with the current law since Bahnhof argues that some EU directive makes the Swedish law illegal.

To their own citizens sure, but they have had absolutely no qualms about invading the privacy of those who are not their own citizens, which is the entire point of the 'Eyes' programs.

Unlike many countries includingany European countries the US does not require logs to be kept.

Also legally national security letters can not require monitoring of the contents of communications but only compel the recipient to produce existing records regarding the communications. For a VPN service that did retain logs a NSL could require them to be turned over; however, for one which doesn't there would be nothing to turn over and a NSL can't compel the collection of such information when it doesn't exist. A NSL which tried to exceed these restrictions can be fought in court.


>but as long as one of the medium sized ISPs, Bahnhof

An ISP named themselves "train station"?


Sure, there's also a city in Croatia (Pula) which means "dick" in Romanian. People don't usually verify what their brand means in other countries, especially if they have no desire to expand to said country.

I am 100% sure it is intentional since virtually all Swedes know that Bahnhof is German for train station. No idea why they picked that name though.

...no?

Why would VPN providers be excluded from national governments' internet surveillance systems? If anything, I'd think they'd get extra scrutiny.

How can we verify that?

You can't generally prove someone isn't beating their wife.

https://en.wikipedia.org/wiki/Loaded_question


When the concern is our privacy and secrecy, isn’t it better to err on the side of caution than trust naively?

What if it were a matter of health? Should we trust before verifying? Would it still be a “loaded” question?


By that logic everyone and everything is corrupt, monitored, etc. Including the hardware you might install your own VPN node on, all messenger apps, all phone lines, the mail, and so on. Your best friends are all spies. Your bedroom is bugged.

That would mean there is absolutely no way to improve your privacy and you might as well do nothing.


By your logic you should trust every ad on the web, click on every flashing button, and eat or drink every thing any random stranger offers you.

No? Oh is there a line?


I was with you until your second paragraph.

I think an increase in ownership base fundamentally makes it easier to trust an entity, especially in a public company setting where transparency is a must.

Rather than trusting 1/1 owner of a company you just need to trust 1/n with significant control.

The original PIA group will maintain significant control.


The problem with trusting 1/n is that my trust in you is compromised when you choose to associate with an unscrupulous party, so even that 1/n is no longer trustworthy.

(Long time PIA subscriber who cancelled over the news of acquisition.)


This is entirely backward from actual security principles.

Any increase in the number of people involved in a security related decision multiplies the chance that bad decisions/compromises will happen.

Cf the definition of compartmentalization.


>The merger between Kape and PIA affords PIA the resources needed to bring privacy to the mainstream.

You were one of the most, if not the most successful VPN provider for years. Did you really need more resources? For what?

The main benefit of PIA is the expectation for extra privacy. No matter how you look at it, selling to Kape is a strong signal that's not a priority. Similar, for hiring Karpeles to do your security (like he hasnt lost us enough already).


> Similar, for hiring Karpeles to do your security (like he hasnt lost us enough already).

Wait... What?!! I just had to look this up[0]. How did I miss this news?

Now... I'm all for second chances in general, but there need to be limits, and my understanding of the MtGox case, is that on top of being responsible for terrible security practices, Karpales lied about the intrusions.

I was actually kinda on the fence before, even when my previously reliable connection stopped working yesterday (probably a coincidence) this makes me not really trust PIA's decision making, which is a real shame. I found the service very solid.

[0] https://www.privateinternetaccess.com/blog/2018/04/why-i-hir...


I actually subscribed to PIA before realising this, too. It's weird nobody else is even mentioning it in these threads - trusting a proven fraud like Karpeles for your privacy and security needs is a bit insane if you have other alternatives.

I didn't know that either. Here's a couple quotes from an article about how Mark ran MtGox:

> Beneath it all, some say, Mt. Gox was a disaster in waiting. ... A Tokyo-based software developer [says it] didn’t use any type of version control software [and] he says there was only one person who could approve changes to the site’s source code: Mark Karpeles. ... “The source code was a complete mess,” says one insider.

> The 1,719 lines of commented PHP code...include code to access individual customers’ Bitcoin wallets and to process transactions. ... Anyone who had access to the server running this code could have easily redirected transactions or pillaged the Bitcoin wallets.

https://www.computerworld.com/article/2476003/the-php-that-s...


>didn’t use any type of version control software

What kind of incompetent fool doesn't use version control in this day and age?


Mark Karpeles defrauded a customer in France before he bought MtGox and moved to Japan. He was found guilty of fraud when tried in absentia because he skipped town and left. When MtGox was hacked and the hot wallet was wiped out, Mark didn't even bother to stop using a known compromised hot wallet. Over 3 years he never bothered to ever rotate keys for the hot wallet, even though he already knew it was compromised when it was wiped out in the original hack. Mark publicly touted how MtGox was using cold storage for 95% of all Bitcoins in MtGox at all times and that the keys for those Bitcoins were secured such that you needed to compromise two out of three geographically separate locations in order to rob the cold wallets. None of that was true, and Mark knew that the exchange was insolvent from the day he bought it.

https://bitcointalk.org/index.php?topic=23938.msg1177353#msg...

His solution to the problem was to make a trading bot with an innovative new strategy of "buy high, sell low". That trading bot was something that he publicly denied multiple times and it wasn't funded with Bitcoins or dollars to trade, it just made trades without having any funds allocated to begin with. Even ignoring that the deposited funds were stolen the exchange didn't have any hope of being able to be solvent because the Willy bot just added funds to the exchange out of thin air. The charitable interpretation of Marks actions is that he was too incompetent to even realize that his trading bot was losing mountains of cash and too incompetent to realize that he was always draining cold wallets but never filling them back up and too incompetent to ever bother to run "SELECT SUM(BTC) FROM accounts". The only BTC left on the exchange was the cold wallet that was discovered afterwards because Mark Karpeles was so incompetent and cavalier with customer funds that he quite literally forgot about one of the cold wallets lying around with 200,000 BTC in it. If he hadn't forgot about that wallet, he would have kept dumping it in the hot wallet to let the thief siphon off and push the scam out another 6 months before it collapsed. Even at the point that withdrawals were frozen entirely and all of the money that Mark knew about was gone he still was spouting off B.S. about how it was transaction malleability, it's not our fault, your money's not gone we just have to fix this bug, etc.

PIA's business is built on trust and rasengan decided to hire Mark Karpeles as their CTO. I honestly can't think of anyone who I would trust less as a CTO than Mark Karpeles. I'm not being sarcastic, I genuinely can't think of someone as bad as Mark for a role like CTO. There's not a chance in hell that I'm going to give PIA another cent based on that alone, even ignoring the most recent Kape debacle.


> You were one of the most, if not the most successful VPN provider for years. Did you really need more resources? For what?

I don't know if you watch Twitch or YouTube but it seems that every streamer and video is sponsored by NordVPN. I feel like with that kind of advertising budget, it's going to be harder for companies that don't advertise as much.


There's a definite plus to bringing in people who've never used a VPN service before - a lot of them may subscribe but never actually become serious users of your service, in which case they're likely highly profitable. People who find you by reading reviews on TorrentFreak on the other hand are much more likely to chew bandwidth and possibly have multiple devices connected at once.

I don't have a horse in this race, but should mention that PIA was losing a ton of money.

> Did you really need more resources? For what?

Yes, to bring freedom thru privacy to people, The coming battle against privacy and free speech is by far the strongest and worst yet; the narrative and our voices are quickly getting quashed.

Without the ability to communicate privately and speak freely, at best democracy is at risk; and at worst, humanity, or what it has meant to be human until now, itself may be at risk.

Divided we are not stronger.

> Similar, for hiring Karpeles to do your security (like he hasnt lost us enough already).

Cryptocurrency has come a long way, and without MtGox and Mark at the beginning, it may not have been able to make such strides.

I prefer a battle hardened individual over a clean track record of no experience. Failure is the fastest and strongest way to learn and grow stronger.

Overall, I appreciate your words and concerns, but I believe we are strategically moving in the right direction to the world's benefit.

Time will tell.


>Yes, to bring freedom thru privacy to people, The coming battle against privacy and free speech is by far the strongest and worst yet; the narrative and our voices are quickly getting quashed.

>Without the ability to communicate privately and speak freely, at best democracy is at risk; and at worst, humanity, or what it has meant to be human until now, itself may be at risk.

>Divided we are not stronger

I was hoping for a real response, rather than the same empty marketing speak.

Of course, the real response is likely 'I wanted to cash out', so I understand why you can't deliver something more convincing.


* a battle hardened fraudster.

Failure is not the fastest way to learn when that failure is achieved through fraud.

I was on the verge throughout all of these news, but now finding out about you hiring Karpeles and now reading how you defend it really made me cancel all the subscriptions and never come back again.


Agree. People that have no ethics or integrity tend to always revert to mean. People that I know that sell harmful products seem to have an uncanny ability to find ever more harmful ways of profiting.

   > to bring freedom thru privacy to people

"The intent is to provide players with a sense of pride and accomplishment" vibe is strong with this one. For the record, the part I quoted is from, I believe, most downvoted comment on reddit[0], currently on ~670 thousands of downvotes.

[0]: https://www.reddit.com/r/StarWarsBattlefront/comments/7cff0b...


So what exactly is the gameplan, how are you going to change the world by selling your stake?

The company is now no longer controlled by one man alone, but instead many. I’m still a major shareholder.

We are changing the world by fighting in the front lines with our PR as we always did [1], donating to organizations without pause or hesitation [2], and sticking to our decisions even when the world may not understand as they aren’t deep in the battle like us.

Time will prove everything, and we will help the people (and freedom of speech and privacy) achieve victory.

[1] https://www.reddit.com/r/pics/comments/61ns2w/private_intern... [2] https://www.privateinternetaccess.com/pages/companies-we-spo...

Edit: Unable to reply below so I wanted to clarify - our ad spend often times goes toward the benefit of people as opposed to being direct ads about our company.


>We are changing the world by fighting in the front lines with our PR as we always did [1]

You are telling me you did it for PR reasons?? That's not even remotely believable - look at the 'PR' you are getting. This was the goal??

>donating to organizations without pause or hesitation [2]

Surely, you have even less of a voice where donations go than before.

>and sticking to our decisions even when the world may not understand as they aren’t deep in the battle like us.

How are they helping you stick to your decisions? You are making entirely new decisions now, and corroding your previous. Are you saying they are 'deep in the battle' like you? What?


Even as a user that for now will not be trusting PIA, I do applaud the advertising I've seen in many corners of the mainstream net trying to educate users about issues they otherwise would have no exposure at all to, unlike us.

I completely agree, I just don't see in what possible way does Kape help with that.

Even if they start doing more outreach (doubt Kape helps much there but say they do) now the messages are just going to be tainted with 'yeah, dont trust those guys' comments when a user looks into it.


Great question.

VPNs do nothing for your privacy. they just shift the trust from the carrier to the VPN.

> ... bring freedom thru privacy to people, The coming battle against privacy and free speech ...

the claims you make are not only misleading but outright dangerous to anyone who actually needs strong privacy.


would you mind to elaborate how a centralized VPN-service is helping against suppression of the internet as a channel? Once your DNS/servers are gone, your VPN is gone, thus your users have to fall back to metadata collection by their ISP instead of you...

P.S.: you are aware that you can still go into the next pub and speak freely with verified (e.g. drinking liquor) humans, which solves by far the biggest issue with "free speech" on todays internet in the "west"


>Yes, to bring freedom thru privacy to people

Ok, but you're a VPN provider. When I use a VPN service I am simply moving my trust from the ISP to you. This decision (as well as hiring Karpelès, convicted for fraud) lowers my trust in you.

I am on a year sub with you guys. I don't buy the marketing speak you're spewing here and I doubt I'll be renewing.


Here's an idea or two.

Wireguard. Stop sitting on your hands complaining about how wireguard isn't mature, and support it with the generic native apps (now there's even a (beta) windows client). The network address selection issue requires engineering effort, but wireguard itself is most likely not going to address that soon, because it's designed to be a minimal vpn codebase, so why don't you engineer a solution yourself? Or use NAT like nordvpn apparently does.

Explicit stock OpenVPN support. You kind of do this, but it's still difficult or off-putting for non-technical users to figure out which config to grab and how to install the stock client. On your setup page, make sure you're providing a link to the stock (windows) openvpn client and install instructions for Mac and major linux distros, so that people who don't trust your binary blob installer can use the generic one (minus all the fancy stuff like pretty config for auto-selection of endpoint, showing port number, DNS and kill switch things). Make sure to provide sample configs that are up to date and usable.

Nobody has to trust your software if you make it easy to use a generic client instead.

I realize Wireguard is tricky because it doesn't have ephemeral net address selection built into the protocol, but can you please just get that support done? What is your dev team doing if they're not doing that? They don't have to maintain openvpn, unless continually tweaking the custom UI is their prime focus. I'm tired of OpenVPN's instability and risk from its gigantic codebase. I don't care if wireguard has lurking bugs that make it insecure against the NSA. The NSA is not my threat model. You can support wireguard while cautioning everyone that you don't trust it as much as openvpn, and then let them make the choice based on how much they trust you, how much they trust wireguard, and how much they trust Matthew Green's audit of openvpn.


We have financially supported wire guard for some time and have followed its development closely while being in communication with its developer.

We do have explicit stock OpenVPN support.

While your adversary might not be the NSA, it’s our duty to only use battle hardened, time proven systems because as others noted, privacy can be life and death.

We aren’t going to falter on it. We never have. And we never will.

NordVPN plays fast and loose as we see by their masked headquarter location, hidden hacks, and other not so above board actions. It’s exactly what I would never want in a VPN to be clear.


>Explicit stock OpenVPN support. You kind of do this, but it's still difficult or off-putting for non-technical users to figure out which config to grab and how to install the stock client. On your setup page, make sure you're providing a link to the stock (windows) openvpn client and install instructions for Mac and major linux distros, so that people who don't trust your binary blob installer can use the generic one

I'm going to go on a limb and say that the intersection between "people who don't trust the stock client" and "people who don't know about the stock openvpn client and how to set it up" is very small.


> I'm going to go on a limb and say that the intersection between "people who don't trust the stock client" and "people who don't know about the stock openvpn client and how to set it up" is very small.

I would say the overlap is actually quite big between that. People who don't trust the PIA client would be the ones who know or are able to find alternatives. It's just that the former group is insanely small as is.


Sure, nothing has changed yet. That's how it goes with acquisitions. But people (including myself) are more concerned about the future. At some point in the future there will pressure from within Kape to increase revenues. And at that point I don't want my browsing data to be sold to advertisers and marketing agencies.

The merger agreement includes a written guarantee to never log. I don't think there is any other VPN that has that, and I _know_ that many other VPNs will not sign that with us.

Er, why isn't this prominently mentioned in the blog post?

https://www.privateinternetaccess.com/blog/2019/11/bellum-om...

I didn't lose trust in PIA because of Kape, I lost it because your blog post was poorly written and inadequately communicated some very important news. You bury mentions of a merger in the 7th paragraph, wtf?

I can't trust PIA if you can't be trusted to clearly communicate such important information.


I'm getting a "This Connection is Not Private" page when I try to access the website. Andrew please look into this if you see my comment.

The idea of suing a shell corp of an intelligence agency for breach of contract seems laughable.

Maybe they aren't that, but why should anybody without personal knowledge of the situation trust that they aren't? This is the sort of scenario where 'better safe than sorry' overrules giving the benifit of the doubt.


That is a great question - all of our information is public whereas most other VPN companies go out of their way to hide where they are located and who they are.

Verification and transparency are more important than trust.


How can users verify that PIA doesn't log?

You can only infer that as the result of court case demanding logs. And even then, it would have to be born out of the discovery process that PIA was truthful, in my opinion. Yet that only gives you comfort that they hadn't maintained logs up to that point. You have no guarantees from that point forward, which is what we're all concerned about. We aren't concerned about PIA's past operations, but rather what this new partnership means for their future behavior.

I realize your question is most likely rhetorical, but I felt the need to articulate my concerns.


"You can only infer that as the result of court case demanding logs. "

You can't be sure. In the Lavabit case, Lavabit argued giving up the key protecting all their users... compromising them to the FBI... would cost them customers due to damaged reputation and privacy. The FBI argued they could do it without telling them. Then, Lavabit would still look private with no financial harm. The judge agreed.

That proposal and the judge agreeing changed how I looked at a lot of companies' claims about law enforcement. I already assumed this would happen with Patriot Act requests by FBI/NSA partnership given they'd be hit with secrecy orders. I didn't see a judge straight up telling a privacy company to defraud all of its customers. I figured the order would be more narrow than that. Now, I have a blanket recommendation to avoid U.S. for privacy tech over both secret government (Patriot Act stuff) and regular, court system.


While I agree with you, I think there's some nuance. In the Lavabit case, the FBI was investigating a national security threat whereas the PIA case involved the hacking of local social media sites. I can see a judge not wanting to rule against the FBI in a case of national security whereas I think a judge would be hesitant to do the same in the case of a misdemeanor offense. Then again, I'm continually surprised by the U.S. government in the "war against terror" era.

Snowden was not a national security threat, he was a government embarrassment threat. It’s not okay to conflate the two

I'm not conflating anything nor am I making a judgement on the FBI's motives. The FBI issued a national security letter that Lavabit fought in court, which I feel Lavabit should have won. The point you missed is the FBI and the judge put a bit more weight towards forcing Lavabit's hand than it did in PIA's case because of the scope and severity of the offenses, perceived or otherwise.

The FBI did not issue a national security letter in the Lavabit case. A national security letter cannot require the placement of a device to intercept communications or compel turning over encryption keys to accomplish the same. The FBI presented Lavabit with a subpoena issued by a judge.

Or they claim no logs in court cases while making them anyways. Thereby creating cover.

Serious question: what happens if they decide to start logging anyway?

For context: Facebook told the EU Commission they wouldn't link Facebook and WhatsApp accounts. Then they did it anyway. Sure, they got fined for it, but it's hard to believe that the fine was not factored in from the beginning.

So if they break that part of the agreement with PIA, then what? Is the merger canceled?




Thanks, sorry.

Yet the only seeming relevant principle of the 'Kape principles' is:

> 3. Zero Data – sanctity of personal data – we believe each individual owns his own data therefore we will never store or attempt to sell what does not belong to us.

Which is vague in the extreme. It does not clarify what 'personal data' means. Is my internet activity when using PIA/Kape's network still my own? Or does Kape now make a claim on this data?

If there is really a 'never log' guarantee, why is this not prominently displayed in the discussion of the merger?


I've recommended PIA for years.

But no longer. I just don't trust Kape.


Thank you for your recommendations. We are working on and hope to go beyond the world of trust. We are now, the most transparent VPN as there are requirements to be transparent when you are a public company.

We don't want people to be stuck with having to blindly believe in and trust us like other VPNs.

Don't trust. Verify.


In the past I have highly recommended your VPN, but I can no longer. In your TOS you have the line.

> Client understands that the present Terms of Service are subject to changes made by PrivateInternetAccess at any time at its sole discretion, and you agree to be bound by any and all modifications, changes and/or revisions. You understand that it is your obligation to periodically review this webpage in order to account for any changes made, as they will be binding upon assent.

Such a line does not build trust, especially given Kape's history. Do you honestly expect us to constantly review the TOS? We're also not lawyers. There's no line that even suggests PIA will even attempt to inform subscribers (at least those you have emails for or through a blog post) of TOS or privacy changes.

You say

> We don't want people to be stuck with having to blindly believe in and trust us like other VPNs.

> Don't trust. Verify.

нет доверия и нет проверки.

How do we trust? How do we verify?


I have been frustrated by those lines for years now, I don’t understand how they could even be legal but they are ubiquitous in online contracts

WTF are you talking about? You're a "public company" so you are transparent, enough so that people can verify what you do? WAT

That's like saying I can trust Philip Morris International and Altria that they would never downplay the carcinogenic properties of tobacco products because they are public companies.


I mean, there's actually an active lawsuit against Altria for securities fraud Altria lying about JUUL to their investors. Similar lawsuits are common. Being a public company gives people with lots of money and lawyers (i.e. investors) motivation to make sure that the company's core value proposition isn't a big fat lie.

I don't think that alone is sufficient evidence to immediately completely trust Kape, but it's worth some points in my book. And if the lawyers don't pull out any dirty laundry after a while, I'm going to assume there isn't any.


Actually, I do my best to hedge relying on trust.

But Kape is just way too beyond the pale.

Perhaps it's unfair, but the association with Israeli intelligence, and so indirectly with NGO Group and the NSA, is just too much.


In the security and cryptography community I think you'd be hard pressed to find people without similar backgrounds. I think being exposed to how insecure the world is and to what levels drives people to secure the world and empowers people to provide privacy and security to people.

Some people whistleblow, while others develop software, and many lecture and teach people.


> Some people whistleblow, while others develop software, and many lecture and teach people.

And most have no problems with what they saw or did, and many used the contacts and knowledge gained from that background to further their civilian careers in the field and continue to maintain those connections and shared goals therewith.


Excuse if I'm wrong, but is the implication that this should not occur at all?

I'm not sure how that's even possible.


Sure, it happens all the time. But the implications depend on context.

It's not a huge issue that Palantir is loaded with former CIA and NSA people. Except about financial issues.

But former intelligence folk running a VPN service? That makes one wonder what their goals actually are. That is, "maintain those connections and shared goals therewith".

Many don't trust the Tor Project, for just that reason.


Do you have a source for any of that?

Who at the Tor Project is a former intelligence employee?


I'm not sure if you mean current developers, but TOR was started at the United States Naval Research Laboratory, which is definitely connected to the military intelligence operations.

Core Tor[0]

    ...
    Paul Syverson
    ...
Who else, I don't know.

But hey, I gotta say that Paul seems honorable. And a bloody genius, with a great sense of humor.

I'm not a harsh critic. Just prudently suspicious.

0) https://www.torproject.org/about/people/


What I'd like to know is why for the L2TP setup with PIA, the PSK is the same for all customers.

This company has no association with the Israeli intelligence whatsoever. Many, many of the Israelis involved in the technology world have served in the IDF Intelligence Corps (being that Israel has mandatory conscription and the intel corps select the best and brightest).

>This company has no association with the Israeli intelligence whatsoever.

And then...

>My assertion is that companies are not automatically related to the Israeli intelligence even if their founders came from its ranks. It takes decisive contrarian proof to convince me otherwise.

Why were you so convinced that there is no association? Maybe there is, maybe there isn't, but what we _do_ know is that the CEO is an ex member.


Right, and there are lots of VPNs.

So why use one with anything iffy about it?

However, I gotta say that it's complicated for PIA. There's past evidence of being unable to produce logs for criminal investigators. And now there's the purchase by a firm with an iffy reputation.

However, there's the possibility that said firm was exploited by malware pushers, and not intentionally pushing malware. But still, that's evidence of incompetence, which is also not a good thing for a VPN provider.

And then the CEO's association with Israeli intelligence.

So anyway, it is complicated. But it seems most prudent to wait and see.


Sure, we'll see, but in the meantime I likely won't take the risk.

And you know that how?

My assertion is that companies are not automatically related to the Israeli intelligence even if their founders came from its ranks. It takes decisive contrarian proof to convince me otherwise. I did not see such proof in your post.

Virtually any technology company either founded or operating in Israel has former Israeli intelligence people in its ranks. It's true for Microsoft, Google, Apple, Facebook and others.


Andrew, on your responses you mentioned several times transparency, do the best for the people and give people what they want.

As a VPN provider, your reputation and the trust of your customers is vital; in the spirit of transparency I would like to know:

- Change in customer churn since announcement - Change in new customer signup

I really hope you and your team forecasted potential backlash as part of the merger with Kape and have a plan of action to recover.


The bottom line is, in 2019 if any of my relatives asked me which VPN to use I would first outline the history of VPNs as a vector for malware/adware and explain to them the supreme level of trust you must have with a VPN provider as a MITM to ALL your internet activity. Only then would I highlight the benefits of VPNs in regards to internet freedoms and circumventing bad content blocks where users want to pay to access content but are arbitrarily denied.

VPNs are not the type of consumer product you EVER want to have acquired by ANYBODY. Not by Google, or Facebook, a US company, a Russian company, a Japanese company, NOBODY. Was this not extremely obvious when the deal started to form?

You've made a lot of promises that nothing will change, but those are empty promises given the history of post-acquired companies, as well as the vpn market as a whole. You have a lot of work to do following up on those promises, and until you do you will not have the same level of trust as you once did.


> I would first outline the history of VPNs as a vector for malware/adware and explain to them the supreme level of trust you must have with a VPN provider

I'm not your great-grandfather, but I also didn't really know (or think of) this. I kinda always thought about VPNs as intranets. I also assumed that browsers are easy enough to hack that you don't need to do a full MITM on the entire network. I also assumed most normal people don't use VPNs.

What would the most common attack vector through a VPN be? My guess would be targeting people that use pirate streaming sites / streaming through proxy IP.


I believe the most common case would be selling the user traffic, assuming the VPN knows who you are (through billing for example although given your traffic their are a variety of ways even if you did an anonymous signup), they could then say "Hey Ben reads a lot of technical blogs and spends a lot of time on console.cloud.google.com, Triplebyte you should plaster him with ads because that will totally work".

It modifies who your targets are. You can try to attack people with malicious websites, but in that scenario you can only attack people who manage to visit your malicious site. (this example should be considered to include advertising iframes and such.)

A VPN provider, however, has a captive audience and can be certain who they are attacking.


Not if you use the packages for OpenVPN or Wireguard from your package repo. Then you only have to trust Wireguard/OpenVPN and your distro to not MITM you. Your VPN cannot do any MITM attacks other than those your ISP can as long as you do not install their client.

"VPNs are not the type of consumer product you EVER want to have acquired by ANYBODY."

That's why I encourage these types of things to be set up as public-benefit companies, non-profits, etc chartered to do the good things and not do the bad things. At least, the obvious ones that keep recurring. General principles plus a pile of specifics as examples of them.


"The merger between Kape and PIA affords PIA the resources needed"

I'm one of those people who understand the importance of reputation and integrity. One bad deal might ruin mine forever. You needed resources to expand your privacy business. Did you try and fail to partner with reputable businesses such as Mozilla, get funding from governments/foundations, etc? Did you try to get with amoral companies whose background or business wasn't harmful to privacy? And, after that, settle for the one company that was interested which could damage your brand?

I have a feeling you didn't since I'm sure there's plenty of companies, non-profits, or cooperatives that might have worked with you who don't have that background. Although I can't prove that, I see investments and partnerships all the time with organizations that raise less eyebrows. That you went with that company will undermine trust.

I'm no longer recommending PIA. I do appreciate that, before this change, your company went as far as defending its users' rights when FBI was after them. I'll still give you credit for that.

Edit re hiring security people: You also keep justifying hiring con men for second chances or doing business with intelligence assets like there were no other alternatives. I've met all kinds of security professionals and cryptographic researchers who haven't taken malicious contracts or damaged others [that I'm aware of]. Quite a few have turned down work because they're ideologically opposed to it or just don't harm others. I'm one of those. So, my next bit of skepticism is that you really couldn't find anyone better than folks like Karpeles. You could've asked here or at Black Hat and probably got a ton of candidates who might be more trustworthy with your customers' privacy.


You don’t know a person until you see them in the toughest of situations.

Mark is a good man and a great developer who fought on the front lines and I’ve known for a long time.

I’m not comfortable blindly trusting a random person I meet at a conference with our users’ privacy. You really don’t know who is a current spook, or spy, or worse.

Lastly, to put this to bed in a way that only developers and those that understand could appreciate (like you), we severely limit the people who have infrastructure access as we practice defense in depth, and Mark isn’t one of them.


>Mark is a good man

He stole more money from me than I make in a year. There's surely plenty of other people in this very thread who he also cost dearly because of his callous disregard for our money. He knew the whole time that MtGox was insolvent and he used my cash, everyone's cash, as a giant slush fund. He had no problem pocketing that cash and paying himself a comfy salary knowing full well that he had tons of customers who made the mistake of trusting him with their money and he already lost it. Not to mention trying to make off with the domain and data from his old employer and then after they revoked the domain transfer that Mark fraudulently made he tried to extort it out of them. https://www.documentcloud.org/documents/1227216-karpeles-eng...

>and a great developer

We know exactly what kind of developer Mark is. MtGox didn't even use any form of version control. We have leaked copies of Mark's handiwork and it's absolutely horrifying that someone with his lack of talent was managing hundreds of millions of dollars worth of money. https://github.com/mtgoxleaker/mtgoxphp/blob/90822722620407e...

We're talking about the guy whose legal defense was that he was just incompetent and not malicious. He quite literally just completely forgot about a cold wallet filled with what was at the time worth well over 100 million dollars. No reasonable person would ever conclude that Mark is "a great developer".

I'd be much more comfortable trusting some rando from Defcon than a serial con man that has done nothing but lie and defraud customers and employers for well over a decade. And he's woefully incompetent to boot. Hiring Mark Karpeles as CTO is nothing but bald faced nepotism.


Your CTO doesn't have "infrastructure access"? Am I the only one for who that strikes me as odd?

I get the feeling reading through all of his recent posts that he's willing to say anything that portrays PIA in a positive light, regardless of it's consistency with reality. I just cancelled my account because of all of his PR. Strong with that one, the rhetoric is.

We actually did reach out to many groups including some of those you mentioned.

You would be surprised to find that “non profit” doesn’t always mean “for the public good.”

As for others that were willing to partner with us, they wouldn’t sign a no log pact so I had no interest to work with them. It’s shocking how many private VPNs are shadily logging and/or selling your data.


I have tried to get in touch with you all, but got no response from the e-mail address provided via Twitter when inquiring about collaboration. No log pact sounds wonderful.

Why don’t you out them? You haven’t had much trouble slinging mud on HN in the past, and to be clear, it has been appreciated.

I think if you do some “negative” google searches on many of the most loved organizations, you’ll see they toyed with their users and their data countless times in the name of “experimentation” among other things.

Thanks for speaking up here. The point on this now being a public company with mandated reporting is interesting. And I found the supplemental presentation decks interesting as well. [1] One thing that stood out to me is that while public, it's still controlled by one person [2], is there a plan to broaden that and be accountable to more people?

[1] https://investors.kape.com/reports-and-presentations/2019

[1a] Slide 5 had interesting stats on PIA for anyone interested here -https://investors.kape.com/~/media/Files/K/Kape-IR/reports-a...

[2] https://investors.kape.com/significant-shareholders

[2a] unikmind gets listed as Teddy Sagi on ownership reporting forms


Great question! That’s part of the plan.

Hi Andrew, you may want to tidy up your HN "about" info if you're speaking on behalf of the company.


Note to everyone else: The about has been changed now, as my advice was taken.

Thanks for confirming that PIA is full of shit with this comment. Mullvad never looked better.

Andrew, will you be offering refunds to your customers who have paid for your service and will no longer be able to use it because of the acquisition?

PIA was the first, that I was able to find at the time, that had an fully functioning android app for your service. I've used PIA ever since whenever I needed VPN services.

Like every service I use, I plan to take into account what I learn about them and then watch and see what they do.


> I stand behind the move to bring more transparency to privacy

How do management's economic incentives change through this deal? How much are you cashing out now versus riding into the combined entity?


I hope you understand why people are extremely reluctant on forgiving and forgetting, especially involving something as sensitive as a VPN which, in some cases, can truly be a matter of life or death.

I absolutely do, and I have always known. In particular, it’s been humbling to see the reaction on HN and I appreciate the amount of trust and love the community has had for us. I understand we are held to a different standard than other VPNs who hide their locations and ownership and are constantly caught logging - and I appreciate it.

Hacker News, we won’t let you down.


> The merger between Kape and PIA affords PIA the resources needed to bring privacy to the mainstream.

What does that even mean?

As for VPNs, you have been mainstream.

There was no other VPN service more recommended on reddit. Even here you've made a relevant impact on recommendations. How does that not provide enough funds? What have you done with all that money and why exactly do you need more?


Your argument about Kape is persuasive.

And I do want to "trust" (as much as I ever do) PIA. It's one of the few that's actually been tested by criminal investigation of a user. And it did, in fact, retain no logs.

I've also been impressed by London Trust Media projects. And I appreciate that increased resources are a good thing.

So anyway, I do wish y'all well.


Thank you. Your trust will not be misplaced, and we will strive to maximize our transparency as always.

> This article and articles like this miscast Kape in an incorrect light.

correct. Focusing on the founder's alleged ties is a distraction. The real story story is "all VPN's are snake oil". The fact that he peddles this should really stand for itself (regardless of his backstory).


What does "The company can now be decentrally owned by the people" even mean?

How do we verify that PIA is adhering to it's stated policy? Like, what is the actual process for that? Is there a link you can post that instructs us in this verification?

Maybe. But I won't risk it.

That is exactly where I'm at also. I have recommended PIA to countless others. I will now wait and see if PIA is still the tool that it was before the acquisition.

Unfortunately for PIA, Kape has done nothing to gain my trust and has done multiple things to erode it. This is an uphill battle for PIA.

Good luck!


So a company that was so badly associated with malware they had to rebrand thought buying a privacy focused VPN company would be a good fit?

Regardless of how they’ve changed, the internet never forgets and it’s incredible no one involved considered the optics of selling a VPN company to a company associated with malware.

IMO you’re likely 100% above board here and they’re a reformed company, but it doesn’t matter. It looks bad.


Yet PIA has LIED about making their desktop source code public.

Where's the link to the GitHub repo?

You are proven liars.

(Thanks for the flag, doesn't change the facts, prove me wrong ;) )


Seems to me that the "spy" was doing mandatory military service when he was 18 in the Intelligence part of the army? It seems common for many Israeli technically minded teens to go into that or similar wings rather than the more on the ground units.

It was from 1995 to 1998 (that's 20 years ago now) before he was at University and is the first item in his work experience. And the length of the position is about the same as military service. I do not know his current age.


Yes, and CrossRider mostly did an SDK for cross-browser extensions. I used their product before they did ads and it worked pretty well.

I stopped using them because I could stop supporting IE but they had a real product back then.

Teddy Sagi is bad for other (gambling related) reasons - but he is just an investor...


Teddy has sold most if not all of his shares in Playtech and other gambling related businesses[1].

Also calling every one who ever served in 8200 an Israeli spy is ridiculous. Military service is mandatory in Israel. Lots of kids serve in 8200 because they get assigned there for their affinity for math and computers. Most of them do menial Ops tasks, I interview them occasionally for junior positions.

Here are some Israel startups founded by "spies": ICQ, CheckPoint, Wix ...

[1] https://en.globes.co.il/en/article-sagi-bows-out-of-playtech...


Can confirm. Israelis (for the most part) have mandatory service after high school. Joining the Modiin (Intelligence Unit) is great, it's akin to other high value units like Golani and 8888, but it's just a unit. My friend in Modiin is literally a report editor - not everyone in every unit does every thing.

To answer your other question - Sagi is 48, and one of Israel's most successful technology investors.


Disappointed. I've been with PIA for a few years now and I always recommended them and loved their support. I just cancelled my annual subscription which was due to expire in 100 days. Vote with your wallet. Any recommendations for a new VPN provider?

Me too. I cancelled my subscription about a week ago when I first heard of it (and I explained why on their cancellation form).

I'm looking at Mullvad and NordVPN. I know Nord had a MITM attack on a Finnish datacenter a few months ago and didn't immediately notify affected users. I'm having trouble understanding what it says about Nord's culture and likely behavior in the future. On a technical level, it's pretty bad when users of a VPN like this can be MITM'd. Blaming the datacenter's remote admin tools doesn't help me as a user because the same thing could happen again. I know they have a bug bounty program and audits now, but still I'm concerned that they didn't notify people which might indicate a cultural problem.

How would Nord handle a problem like this in the future, and can we still trust them?


You may want to read the comments and article linked here before thinking about NordVPN: https://news.ycombinator.com/item?id=21664692

They are seemingly sketchily using "residential proxies" at least for Disney+. These proxies seem to be coming from their customers, or customers of a company NordVPN is closely tied to - likely without their knowledge.


Using NordVPN is never a smart idea. Same goes for using a VPN linked to a US company, unfortunately. Use Mullvad or https://www.ipredator.se/

I use Mullvad and have had nothing but positive experiences.

NordVPN apparently using residential proxies is pretty iffy.

Makes blocking harder,cloud/hosting IP can't access some content.

I know that it makes blocking harder.

It's just that one wonders whether the people whose devices are being used as proxies are aware of the situation.


I would never use NordVPN simply based on FUD-based advertising. The breach is just the cherry on top.

Astrill. Not the cheapest but I am very happy with it. Also to circumvent GFC

I know there are plenty of Mullvad recommendations in this thread, but I can wholeheartedly recommend Mullvad as well. They don't seem to spend as much on marketing as many of the VPN services do, but the service I've gotten is solid, and they seem to have a pretty clean track record.

I just did this and added the reason why. They very quickly emailed me a canned response to this issue. Apparently it's a big deal and lots of people are leaving.

I did unsubscribe a couple weeks ago and got a canned response too, almost immediately.

When your business is privacy and trust, any acquisition is problematic. Let alone an acquisition from a company with a similar track record.


I recommend AirVPN. They're very reliable and run by activist hackers. I've heard good things about Mullvad too.

Yes. Along with IVPN and Mullvad.

They're among the oldest VPN services. Not as old as Cryptohippie, but almost.


I'd suggest you have a look at this site: https://thatoneprivacysite.net/#detailed-vpn-comparison

Personally I'm using Mullvad atm. For windows I use their client, but you can also download configuration files for wireguard if you want to do that.


Mullvad. No-email signup, pay with Bitcoin, servers all over the place, speeds great. I’ve been with them 6+ months and couldn’t be happier.

Plus wireguard support if you care about that.

I recommend ProtonVPN. So far I've been very happy with them and since they're Swiss-based, I am much less concerned about privacy than in the case of a US-based company. I even received a few months of free subscription when I fixed a bug in their CLI client.

Ugh, this sucks. I've used PIA for ages as well. Their infrastructure is really great too - I get better latency on PIA than my own ISP sometimes!

If you got better latency through a VPN than your ISP that means your ISP sucks, not that the VPN is great.

Well, I was using Openreach which is the largest consumer ISP in the UK. Specifically my latencies were better to the US when using PIA. So PIA had more favourable routing / commercial agreements than the largest UK ISP. So I'd say the VPN infrastructure is pretty good, even if it's simply relying on AWS or something.

Get a VPS and run a VPN client to it and/or run Tor. VPN providers suffer adverse selection, catering to powerless customers who don't have their own data centers, but have something to hide. And they know who you are, which Tor exit nodes don't. That makes them juicy targets for spies, not all of whose compromises will be as obvious as a financial takeover.

Then you need to trust the VPS provider.

Also, using a private VPN proxy, you're the only user. So there's even less anonymity than using a VPN service.

The safest bet is arguably Tor. Although the connection to the US government is troubling. And then there's the issue that many sites block Tor users with difficult or impossible CAPTCHAs.

Using nested VPN chains is a reasonable compromise. It's much faster than Tor, and you don't need to trust any one VPN provider.


Yes, you need to trust the VPS provider. But many people already trust Amazon with their credit card number, their home address, which books they read when, and which passages they highlight in them, to say nothing of all the other websites they use that Amazon hosts; trusting Amazon instead of Comcast is probably purely an improvement for them.

Tor is not operated by the US government; it's founded by them and partly funded by them. One reason is certainly to spy on Tor users; another reason is so that their own spies have anonymous internet access to exfiltrate stolen information; a third reason is to enable political dissidents in countries like Australia with onerous censorship regimes to access uncensored information.

If you want to use a nested VPN chain that isn't Tor, how do you authenticate to the last provider in the chain, the one that knows which website you're connecting to? Are you using a VPN provider that you pay in ZCash? Or do they allow anyone to use their server without paying, like a Tor exit?


The VPN that I connect directly to, I pay with a credit card. They know who I am, so why bother trying to hide.

All other VPNs in my chains, I pay with Bitcoin that's been mixed multiple times. I have a bunch of Whonix instances that I use for mixing and storing Bitcoin. They all hit Tor through nested VPN chains.

Each one has an Electrum wallet. It gets its Bitcoin from another Whonix instance through a mixing service. In any given mixing chain, I use a different mixing service for each step.

So then, generally, VPNs that I use less directly get paid with Bitcoin that's been mixed more times. And I never use the same Bitcoin wallet to pay for VPNs at different "levels".

Edit: You say:

> But many people already trust Amazon with ...

I trust Amazon with all those things. As my meatspace identity.

But I wouldn't trust them with information that associates my meatspace identity with Mirimir.


Interesting! Which VPN providers can you recommend?

For many years, I've recommended AirVPN, Insorg, IVPN and Mullvad. And formerly BolehVPN and PIA. There was chatter about BolehVPN's logging policy. And now about PIA's acquisition by a firm with an iffy reputation.

Those are all relatively old, compared to mainstream VPN services. So there's been more time for bad news to come out.

I've also used older ones, such as Cryptohippie and Rayservers. They're among the first OpenVPN-based services. Cryptohippie used to be quite expensive, with a ~low usage limit. But now its price is comparable to many others, and I don't see a usage cap. It's not as fast as many others, but arguably far better secured against adversaries.

Rayservers is extremely old school. They only accept gold-based electronic currencies (Truledger and Loom). Those are pre-Bitcoin. I'm not sure whether they still work.

There are others that I use. But I'm not going to talk about them.


Thank you for sharing your experience!

Genuine question. Why?

Well, I actually wouldn't trust anyone with that.

But Amazon, less so. Because they're totally profit driven. And wouldn't think twice before pwning me.

I want to remain pseudonymous. Basically so I don't need to worry about damaging my meatspace reputation.

And what would be the point of going to all that trouble, if I were going to compromise myself?


Sorry, I just realised my question was super ambiguous as to which part of your post I was asking "Why" to. I was specifically asking why you go to such large efforts to obscure your identity.

You've answered that, but it definitely seems a lot of effort to go to.


About being lots of effort.

It was lots of effort. Some years ago. Mostly in learning how to do it.

But now it's only maintenance.

Not much more than maintaining my perimeter router.


It would be really interesting to see a how-to writeup so that other people can obtain the same levels of privacy without having to go through the steps of learning everything the hard way like you did. Also, it would probably help your privacy if there were other people doing the same thing.

It's also, frankly, a hobby.

And an expression of my commitment to privacy, freedom, etc.


VPNs are a complete red herring placebo, promoted intentionally to distract you from TOR. TOR is one of the only legitimate anonymizing technologies.

Connecting to your own VPN on a VPS is miles better than a retail VPN service, but even for that I wonder what threat model it serves.

• You can ban outgoing unencrypted network traffic without a VPN (a VPN doesn't solve this either btw).

• You can use DNS-over-TLS without a VPN; that solves a big part of traffic analysis.

• If you only have one VPS and only ever connect through that one tunnel, all you accomplished was moving your effective IP to another place. Oh, and you added an extra counterparty in the middle.

The utility of VPNs is, almost as a dumb proxy, to patch malicious/missing functionality from your first-party connection, e.g.: you live in a country that bans IP ranges outside of its borders, your ISP bans BitTorrent traffic, or your ISP is more cooperative with LEO than your VPN provider is. This has nothing to do with anonymization. The VPN or VPS knows who you are.

It's a confusion between privacy and anonymity.


The entire point why I'm using a VPN is that I want my traffic to be lost in the crowd, not to be the only one using a VPN from a VPS.

Since the previous HN post last weekend I cancelled my PIA subscription and went to Mullvad. So far so good.

I've been using ProtonVPN for a while. Speeds are pretty solid, they have a "secure core", and they claim not to do any logging.

ProtonVPN, I use them for email as well. They got in a bit of hot water for helping with the legal case for one of their users, but generally I like to think that if I'm not committing any crimes I'll be ok, come what may.

Do you have information on that? Quick searches didn't find much for me. Thanks.


Got it. I'm comfortable with their level of engagement here, so long as the encryption wasn't breachable.

You also technically don't have to give your real information to a VPN provider.

It could potentially be a violation of Terms of Service to provide a false identity to any provider of any given set of services, but I guess you're technically right.

They don't ask for any identity information right? ProtonVPN even accepts mailing them cash with no return address.

Payment options: https://protonvpn.com/support/payment-options/


Cryptostorm, ProtonVPN, Mullvad are all good choices.

Freedome. They're owned by F-Secure who have far more to lose than most other VPN providers by pulling stupid tricks

Can recommend ipredator.se

Thanks for the update, immediately did the same.

Recently started using windscribe and found it extremely good.

https://windscribe.com/?friend=qoeb14pf


I bet there are rules against referral links

Former PIA user who recently just moved to Mullvad [1]. Very transparent about their operations and they don't require any information from you to open an account. You can even mail them cash or pay with cryptocurrency to avoid having your real identity financially linked to your subscription.

[1] https://mullvad.net/en/


Mullvad is who I decided on after this story came to light. I used that one privacy guys website Excel sheet comparison thing plus personal recommendations.

https://thatoneprivacysite.net/


Wow that onboarding process was slick. Why aren't sites always this easy to sign up for?!

Because most people want some way to reset their password if they forget it.

There is no password, and if you forgot your account number it can possibly be recovered: https://mullvad.net/en/help/lost-account/

Gave them a try for a month. Very easy to set up with WireGuard.

One thing I liked about PIA’s app is the kill switch function that prevents internet connection if you’re not on the vpn. Does that happen by default when I have wireguard enabled?

I use this in a place I don’t trust and need to make sure it doesn’t accidentally connect “raw”.

Another nice PIA feature is the ability to check server speed. Any way to know which of mullvad’s servers is the best bet?


With Mullvad there's the wireguard configuration generator that works with wg-quick and one of the options is to have it set up an iptables rule to make sure that if the wireguard tunnel goes down it won't leak untill you actually call wg-quick down mullvad-xyz.

Their ios support isn’t great.

I’m using ExpressVPN and while they cost more (as much as 3 times as these budget services) they so far seem to offer a fast product.

You can also sign up with crypto currency if you want.


I use Mullvad with OpenVPN on iOS with no issues at all. What issues have you experienced?

You could try it with the wireguard client for ios. Just download the config files from their site.

I've used Mullvad on iOS with OpenVPN and Wireguard with no issues.

> You can also sign up with crypto currency if you want.

But can you renew with Bitcoin etc?


There is no difference between singing up and renewing. It's just a balance on some anonymous account number.

Have you tried it recently?

Mullvad accepts Bitcoin and Bitcoin Cash, FYI.

Yes.

I see no cryptocurrency option for renewal.

https://keybase.pub/mirimir/ExpressVPN.png


I believe there's been a bit of confusion, and they were talking about Mullvad.

Ah. Thanks.

But I do recall, in the past, renewing ExpressVPN with Bitcoin.


They also support WireGuard, which is why I use them.

What is it that you believe that PIA is doing or is likely to do, that you believe this service is not/will not be doing?

Given Kape's past history, I'm skeptical that PIA will be able to maintain their current levels of privacy regarding data mining and logging. I'm willing to give PIA the benefit of the doubt and accept that they believe they'll be able to do so, but as is the case in mergers like these, sometimes you simply lose that battle with your new corporate partner. My fear is that they end up doing the same level of shady activity as NordVPN [1] [2] or worse. The fact that Kape paid off PIA's $32.1m debt as part of the deal leads me to believe they'll be looking for more creative ways to monetize the service in the future. Since PIA was in debt, it doesn't sound like maintaining the current service as is would be profitable.

Mullvad's policies and account creation process demonstrate an awareness and commitment to privacy as a number one priority. Yes, at the end of the day, none of us really knows what a VPN service is doing on the back end, but the fact that they have detailed public information about their operations, as well as additional privacy options such as paying with cash/crypto, is a good sign. Other little things, such as supporting WireGuard and running their own Bitcoin nodes instead of relying on third party services for crypto payments, are also good signs that their team has above average technical chops compared to other providers.

[1] https://medium.com/@derek./how-is-nordvpn-unblocking-disney-...

[2] https://news.ycombinator.com/item?id=21664692


> Since PIA was in debt, it doesn't sound like maintaining the current service as is would be profitable.

Private Internet Access is very profitable [1] and our new partner’s action of merging with PIA speaks louder than words whether privacy is important to them.

[1] https://investors.kape.com/~/media/Files/K/Kape-IR/reports-a... (Slide 5)


Outsider here, no dog in this race. Never used a VPN, never really knew much about PIA until the recent merger, but very invested in privacy enhancing technologies. Here's a piece of feedback from that perspective:

I think the critical thing you're missing here is that it doesn't matter if Kape is trustworthy, it matters whether people see it as trustworthy. And you're not in a position to change the latter, no matter how much you talk about the former, because you have a conflict of interest.

The other thing is, you need to be able to explain the merger.

If PIA wasn't profitable, the merger looks bad, because that means that Kape is going to find other ways to monetize it.

If PIA was profitable, the merger is just confusing as heck, because why screw up a good thing? And confusion is bad, because people want security from a VPN. Not the computer kind, the emotional kind. Big upheavals like mergers throw that out the window, so you need to manage that transition very, very carefully.

You're not doing that, so far.


First, I'd like to thank you for your participation in this thread. As a long time PIA customer (until recently), I trusted (and still continue to trust) the current staff. All of my hesitation is with Kape and I truly hope at the end of the day they don't end up steamrolling you.

That being said, if the company was profitable, why even entertain this merger? I simply don't see how getting into bed with a company with such a sordid past is worth it if you were able to make it on your own.


My guess is to partially cash out. According to the doc, the two founders each got about 26m cash and 21m equity in Kape, while PIA only had 14m EBITDA per year and 31m debt. So it's certainly a nice cash windfall for the founders.

This. It seems to be exactly so the founders could cash out.

Thanks for looking it up. This was exactly what I thought.

I don’t know anything about the industry, but my guess is that being a big VPN company puts a target on your back. Everyone pretends they care enough about privacy to use a VPN, but the vast majority of users commingle environments and identities to the point that, IMO, they can be tracked across VPNs.

VPNs are mainly for piracy and it’s only a matter of time until big media takes a shot at suing someone. No one wants to be that someone, so selling to anyone becomes attractive. I doubt there’s a lineup to buy a company who’s main talent is under assessing risk.


sorry I dont click pdfs from companies I dont trust.

Why do you have the belief that the government in the country that the VPN provider is operating is not logging everything that goes into or out of the provider (with or without the provider's knowledge)?

It seems pretty plain to me; Mullvad's website even has the relevant section on Swedish legislation that requires it for national defense.

I just don't see how trust in a provider has any bearing whatsoever on the privacy of the connection they provide; they can't do anything whatsoever to stop (or even detect) governments from logging all of the data that comes into or out of their networks.


Using a VPN is only one piece of maintaining privacy online. It doesn't eliminate the need for end-to-end encryption when dealing with material you wouldn't want third parties to have access to.

A VPN doesn’t maintain any privacy, all it does is switch which set of snoops are monitoring your traffic.

If you're using end-to-end encryption, it doesn't matter that your traffic is being monitored (I mean, that's an oversimplification, as the presence of large amounts of encrypted traffic is notable in itself, but that's outside the scope of this comment).

A VPN is useful in settings where you're dealing with a malicious ISP (for instance, ones that hijack unencrypted HTTP sessions to inject their own HTML) or any untrustworthy third party network. Do I trust my VPN provider more than my ISP? Yes. Do I trust my VPN provider unconditionally? No. That's what end-to-end encryption is for.


Seeing Mullvad being hyped all over since the NordVPN disaster, I predict they will be next.

Next to be what? Hacked? Taken over? Become evil?

Yes.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: