When the new management team of CrossRider took over, they immediately ceased to engage in the previous business and focused on the opposite due to the insights they gained watching nefarious developers abuse their platform. With the focus on security and privacy, they changed their name to Kape and further the new company will be called Private Internet as it will be purely focused on privacy.
The merger between Kape and PIA affords PIA the resources needed to bring privacy to the mainstream. The company can now be decentrally owned by the people, and public reporting requirements are much stronger than those for private companies. Couple this with a new random audit program we are going to launch and its as transparent as it gets, and it's exactly the direction we at PIA want to go, where our users no longer need to just trust us, instead our actions are and will continue to be verified.
Ultimately, the choice of VPN is yours, but transparency is verification and with most VPN companies being incredibly secretive about their operations, who is behind it, and where they are located, what they do with their funds, etc. I stand behind the move to bring more transparency to privacy.
The company has always practiced sustainable karma - wherein we do what's best for the people/what people want, and that allows us to make a living doing what we love; that's not going to change.
Andrew - Co Founder PIA
Transparency is verification, but it is critical you like what you see. With the newly formed Kape link, owned by Teddy Sagi with extensive links to other online advertising companies, mobile advertising and online gambling. Nothing good for humanity is done by his investments. No, don't like what I see at all. With the reputation PIA had I'm actually really surprised you chose to be associated with such a stable as Sagi's.
My sub is due for renewal shortly into the New Year. It won't be.
I bought PIA because it had stellar reputation back in 2015 or so. Now it went from stellar reputation to "just another VPN provider". Mullvad appears to be prime candidate now, they're not based in the US if that means something to you, and they even have Wireguard to play with. Let's go.
You can't trust some random VPN on internet. Anyone could have set it up.
You can only verify. Don't trust. PIA will continue on its mission to increase transparency and set a new standard and expectation in the industry.
With PIA, we will make sure you know what you're getting. Some may choose not to go with PIA, and that is beautiful freedom. For the rest, I'm confident people will choose verifiable transparency over blind trust.
It seems to me that the entire VPN industry has a huge inherent information asymmetry since it is incredibly difficult for an end consumer to confirm any claims a provider makes about the quality of their product. Economic theory tells us that results in a market for lemons . We just end up with a bunch of low price and low quality products provided by shady companies because it simply isn't cost effective to compete against those options with a quality product whose quality can't be verified. For a technically savvy end user, you are probably better off rolling your own VPN with open source software you compile yourself rather than trusting any of these black box VPN providers.
 - https://en.wikipedia.org/wiki/The_Market_for_Lemons
PIA could appear to be 100% transparent while secretly creating and backing up logs, or passing them through a third-party. An auditor is less likely to be fooled, of course.
The bottom line is that it's reasonable for us to choose our VPN based on both transparency and trust, and we have no reason to trust the new owners.
You intentionally placed your product in the hands of this group knocking your own reputation down several pegs below competitors if not out of the picture entirely. Lip service won't win me back.
I did use PIA for the trust, I lost that trust and I will therefore stop using PIA.
What are you talking about? Verify what?
So I did some checking:
* Teddy Sagi is a entrepreneur. To say that he is an ex spy is a gross misstatement. Yes, he worked as a developer in Israeli SIGINT program - so do a lot of developers who work for any number of government contractors in US with security clearances working in SIGINT. Does that make them all spies? If you wanna believe in the conspiracy that all the Unit 8200 graduates who have gone on to found Silicon Valley Companies are still state sponsored, then man, you gotta start boycotting all your popular software (and some hardware), cause Apple, Microsoft, Oracle, and Facebook all have a hand in buying these startups.
* Crossmark, the company that Kape originaly was, had malware which is the equivalent of ad supported app on your mobile device - it was bundled with some software (much like Oracle used to bundle Adware with the Java installer), and injected browser traffic, while sending user information back, perhaps for better targeting This is a far cry from actual nefarious malware. Bad? Yes.
* Kape technologies is under the lead of a new CEO that was responsible for transforming the company away from Crossrider towards cybersecurity. Again, if you want to believe in a conspiracy theory, that is your choice.
* All other Teddys ventures since Kape are in the advertising space. There is a concern that can be made that perhaps advertising is going to sneak in to PIA, but lets cross that bridge if it actually happens.
TLDR, pretty much the expected overblown response, which is sadly becoming the standard for HN. By all means, vote with your wallet, but try to keep your voting consistent. Personally, given the web of investors and ownership that surrounds modern tech companies, I do not see any glaring red flags here.
He's invested in : Founding Playtech an online gambling outfit, a credit card clearing company for online gambling, Kape, Stucco Media - Search engine marketing, and several mobile advertising companies. Not a list many would associate with either ethics or privacy. Not a list I want to give money to or see succeed. All businesses built on erosion of privacy. Colour me unconvinced seeing a privacy oriented company joining that particular stable.
CrossRider was nothing like you imply. It was a BHO platform that injected a dll into the browser to allow easier peddling of malware and adware. Why not mention adware? Let's ignore the malware smokescreen you're trying to launch, with them as innocent victim. A platform putting injected adware on my fucking computer is more than enough. Every anti virus and anti malware platform I'm aware of identified CrossRider as a problem, or flagged its shite as "unwanted program".
Not liking that they now have a plan b that is not in an injected adware platform is not "a conspiracy theory". It's simple track record. Given what their first plan did, and how, it'll take considerable effort over considerable time for me to even consider them neutral. They may never reach neutral or "trustworthy" again.
No all his other ventures aren't in advertising. They are in advertising and gambling - funny you don't mention gambling - that, for me, is more than enough for choosing a business to rely on for trust and privacy. I don't want to support those sectors. I don't actually want them to exist. I don't actually trust anyone in the SEO, advertising or gambling industries at all, from Google and Ladbrokes down. As they keep doing the opposite of the ethical thing, consistently and repeatedly.
If PIA, who have built a decent and (as far as I can see) well deserved reputation, want to hitch their future to that. Well it's their disappointing free choice. My money goes elsewhere.
They are as bad as, and often indistinguishable from, the least salubrious corners of online advertising in their tracking and data gathering. Unfortunately their determination to keep feeding off addicts and keep tracking the whales is what has driven their data abuses. Responsible gambling is 99.9% greenwashing. :)
> It is routine for sites to demand the transmission of passport and credit card scans, drivers licenses, utility bills and other personal documents. All the available evidence indicates that this information is stored permanently.
Only due to the regulating authorities demanding this to prevent money laundering. Collecting and storing this information is just a huge headache to the gambling companies. I know some small companies do it improperly, but if they could chose themselves they would not have stored it at all. I have never heard of any company using this KYC documents for anything other than storing them for possible police investigations.
> As a rule, they don’t. It is extremely difficult to close an online gambling account, and in my experience impossible to have your data deleted.
This kind of BS with making it hard to close accounts was an issue and has been cracked down on. These days it is very easy to permanently close a gambling account if it is Malta or UK regulated at least. If it is not then you can report them and they can get large fines. It is impossible to get your data deleted though since the casino must keep it for anti-money laundering for a long time. Here I do not know how many actually delete anything once their legal time is up.
> [and] fail to notify customers that personal data will be retained permanently even after an arduous process of account closure.”
Yeah, I think the sites should be more clear about this. But I do not know of any industry which does this well.
Edit: About tracking the whales. No, that is not related to any data abuses as far as I can think of. It would actually be better (from a greedy and selfish point of view) for us if we could delete the gambler's data when they delete their account because then they can register a new account and lose all their money again and we could say we have fulfilled our responsible gambling obligations because there was no way we could correlate the new account with the deleted. Tracking whales is usually mostly done with quite simple BI queries and VIP teams doing work manually.
I am not saying data abuses do not happen in the industry, but it is certainly not built around them or close to as bad as e.g. adtech. Actually ordinary online stores seem often to be worse than casinos when it comes to privacy which probably says more about our current society than about casinos.
Authorities demand tracking/ID info for users because the industry declines to make laundering impossible on their platforms.
This makes him an ex-spy. There's no prejudice or judgement in saying so, it's simply true.
It wouldn't be fair to assume any collusion is going on of course, but considering their past in espionage and the military, it's at least worth mentioning.
But is there more reason to think that their data isn't safe with PIA now than before the merger? Definitely.
You make this sort of action sound out of reach/unreasonable.
When Trump became president, was it still Obama’s administration?
Given my knowledge on corporate governance and publicly held companies, I disagree with your first statement. The CEO and management team are absolutely the ones who define the ethics of a company and are legally responsible as well.
As for Teddy, I’m not sure how knowing his background and being able to public verify his moves would cause less trust then, for example, the other VPNS which you have no idea who owns them or even where they are located. Transparency builds trust in real life and there is nothing but transparency here. This isn’t a blind faith.
PIA has never logged nor has KAPE. Checkout the other providers and see what they have done. It’s gross.
Regardless of your decision and your comments, I appreciate your contribution to the discussion.
While I disagree with some of the statements in the thread overall, I recognize that PIA can do more to provide more comfort to people. Unfortunately, I don’t believe in blind trust and theater so all we can do is continue to increase our transparency until there is no need for you to trust us.
And to Zero Trust we are headed.
Happy New Year and thank you for the opportunity to protect you until now. I trust we did a good job, and one day, I hope we will have created an ecosystem that doesn’t rely so much on trust in the future so that you might return and we can serve you again.
It is also worth meditating on the fact that, unlike this very boring (from a legal and political perspective) user, undoubtedly there is a segment of your user base who are dissidents and journalists, for whom the privacy of their online activities truly is a matter of life and death.
Trust is like respect; it should be earned, not given freely. PIA had my trust. You have since eroded it. Not completely, but enough that I am shopping for another VPN. If you want me to sign up again, you must re-earn that trust.
You could start by looking for a new CTO maybe? I mean, Mark Karpeles was such an obvious bad choice.
What transparency? I all see are unverifiable claims. Such claims actually make you more suspect imo.
> PIA has never logged nor has KAPE.
So you say.
> And to Zero Trust we are headed.
How is 'Zero Trust' in any way related to the issue of transparency you bring up?
The current president picks up where the previous one left off -- they don't start with a clean slate and no historical baggage.
Per this research from Google and other academics , Crossrider was one of the largest "affiliates" of Superfish and other ad-injector malware.
To my understanding, Crossrider was essentially a distributor: they delivered installs, recruited advertisers, and brokered deals with software publishers, knowing that they would be adding malware/adware to the downloaded bundles that would persist on users' machines. And knowing that some users (most or all, really) didn't realize what was happening.
Rather than being a mere bystander, if the researchers are correct and per the HN thread below , Crossrider was an active--and essential--participant in the "Download Valley" ecosystem.
It may or may not be relevant to today's Kape, but we should at least be honest about what these guys were doing in the past. It was ugly. They weren't the only ones, but they were clearly not on the side of the angels. (Worse, YC funded one of their competitors called InstallMonetizer.)
Yep, "consider the source." It's weird how people will strongly imply that reputation doesn't (or shouldn't) be a factor when the internet is involved, that even criminals should be able to fail upward.
To say Kape was involved in adware would be akin to saying the Wright Bros killed millions of people - because they made planes which people used to kill people (which is simply untrue). Even the original article notes this ever so briefly so as not to show Kape positively.
Thank you for your trust until now, and given the long track record and relationship, I hope you can verify my statements as well.
Our future work will always be the same work we have been doing, so whether now or later, I'm confident we will re-earn your trust again, and hope you'll give us the opportunity.
I have in my email a post from longtime senior employee Yonatan Pesses to a LinkedIn group (then named "Downloadable Software Distribution & Monetization") for people working in the pay-per-install space. It is dated Dec 5, 2014, and it reads:
"Crossrider is offering an amazing monetization solution for your MAC traffic! Very easy implementation, with high user value!
I'd say that is pretty clearly more than just an SDK.
I also gather Pesses has recently left Kape: http://archive.is/QYtxD
To me this sounds like if people used Ionic or React Native to make spammy crappy apps and then people blamed those frameworks respectively. It wouldn't make any sense. It's the fault of the app developers or the platforms which distribute the app (e.g. the app store)
Am I missing something here? Did CrossRider have a storefront which actively promoted adware extensions? I'm not able to find anything rationally explaining the amount of backlash and downvoting rasengan is getting.
Also when I google CrossRider I find tons of mentions on malware tracking sites, including Microsoft's, but nothing else really. On the other hand if I would google React I do not think the majority of the results would be from anti-virus and anti-malware.
And in the VPN world, trust is fundamental.
I am still surprised you didn't see this coming.
Why do you say this? Isn't it generally believed that most/all large VPN services are monitored specifically by the governments of the countries in which they operate?
Also legally national security letters can not require monitoring of the contents of communications but only compel the recipient to produce existing records regarding the communications. For a VPN service that did retain logs a NSL could require them to be turned over; however, for one which doesn't there would be nothing to turn over and a NSL can't compel the collection of such information when it doesn't exist. A NSL which tried to exceed these restrictions can be fought in court.
An ISP named themselves "train station"?
What if it were a matter of health? Should we trust before verifying? Would it still be a “loaded” question?
That would mean there is absolutely no way to improve your privacy and you might as well do nothing.
No? Oh is there a line?
Rather than trusting 1/1 owner of a company you just need to trust 1/n with significant control.
The original PIA group will maintain significant control.
(Long time PIA subscriber who cancelled over the news of acquisition.)
Any increase in the number of people involved in a security related decision multiplies the chance that bad decisions/compromises will happen.
Cf the definition of compartmentalization.
You were one of the most, if not the most successful VPN provider for years. Did you really need more resources? For what?
The main benefit of PIA is the expectation for extra privacy. No matter how you look at it, selling to Kape is a strong signal that's not a priority. Similar, for hiring Karpeles to do your security (like he hasnt lost us enough already).
Wait... What?!! I just had to look this up. How did I miss this news?
Now... I'm all for second chances in general, but there need to be limits, and my understanding of the MtGox case, is that on top of being responsible for terrible security practices, Karpales lied about the intrusions.
I was actually kinda on the fence before, even when my previously reliable connection stopped working yesterday (probably a coincidence) this makes me not really trust PIA's decision making, which is a real shame. I found the service very solid.
> Beneath it all, some say, Mt. Gox was a disaster in waiting. ... A Tokyo-based software developer [says it] didn’t use any type of version control software [and] he says there was only one person who could approve changes to the site’s source code: Mark Karpeles. ... “The source code was a complete mess,” says one insider.
> The 1,719 lines of commented PHP code...include code to access individual customers’ Bitcoin wallets and to process transactions. ... Anyone who had access to the server running this code could have easily redirected transactions or pillaged the Bitcoin wallets.
What kind of incompetent fool doesn't use version control in this day and age?
His solution to the problem was to make a trading bot with an innovative new strategy of "buy high, sell low". That trading bot was something that he publicly denied multiple times and it wasn't funded with Bitcoins or dollars to trade, it just made trades without having any funds allocated to begin with. Even ignoring that the deposited funds were stolen the exchange didn't have any hope of being able to be solvent because the Willy bot just added funds to the exchange out of thin air. The charitable interpretation of Marks actions is that he was too incompetent to even realize that his trading bot was losing mountains of cash and too incompetent to realize that he was always draining cold wallets but never filling them back up and too incompetent to ever bother to run "SELECT SUM(BTC) FROM accounts". The only BTC left on the exchange was the cold wallet that was discovered afterwards because Mark Karpeles was so incompetent and cavalier with customer funds that he quite literally forgot about one of the cold wallets lying around with 200,000 BTC in it. If he hadn't forgot about that wallet, he would have kept dumping it in the hot wallet to let the thief siphon off and push the scam out another 6 months before it collapsed. Even at the point that withdrawals were frozen entirely and all of the money that Mark knew about was gone he still was spouting off B.S. about how it was transaction malleability, it's not our fault, your money's not gone we just have to fix this bug, etc.
PIA's business is built on trust and rasengan decided to hire Mark Karpeles as their CTO. I honestly can't think of anyone who I would trust less as a CTO than Mark Karpeles. I'm not being sarcastic, I genuinely can't think of someone as bad as Mark for a role like CTO. There's not a chance in hell that I'm going to give PIA another cent based on that alone, even ignoring the most recent Kape debacle.
I don't know if you watch Twitch or YouTube but it seems that every streamer and video is sponsored by NordVPN. I feel like with that kind of advertising budget, it's going to be harder for companies that don't advertise as much.
Yes, to bring freedom thru privacy to people, The coming battle against privacy and free speech is by far the strongest and worst yet; the narrative and our voices are quickly getting quashed.
Without the ability to communicate privately and speak freely, at best democracy is at risk; and at worst, humanity, or what it has meant to be human until now, itself may be at risk.
Divided we are not stronger.
> Similar, for hiring Karpeles to do your security (like he hasnt lost us enough already).
Cryptocurrency has come a long way, and without MtGox and Mark at the beginning, it may not have been able to make such strides.
I prefer a battle hardened individual over a clean track record of no experience. Failure is the fastest and strongest way to learn and grow stronger.
Overall, I appreciate your words and concerns, but I believe we are strategically moving in the right direction to the world's benefit.
Time will tell.
>Without the ability to communicate privately and speak freely, at best democracy is at risk; and at worst, humanity, or what it has meant to be human until now, itself may be at risk.
>Divided we are not stronger
I was hoping for a real response, rather than the same empty marketing speak.
Of course, the real response is likely 'I wanted to cash out', so I understand why you can't deliver something more convincing.
Failure is not the fastest way to learn when that failure is achieved through fraud.
I was on the verge throughout all of these news, but now finding out about you hiring Karpeles and now reading how you defend it really made me cancel all the subscriptions and never come back again.
> to bring freedom thru privacy to people
We are changing the world by fighting in the front lines with our PR as we always did , donating to organizations without pause or hesitation , and sticking to our decisions even when the world may not understand as they aren’t deep in the battle like us.
Time will prove everything, and we will help the people (and freedom of speech and privacy) achieve victory.
Edit: Unable to reply below so I wanted to clarify - our ad spend often times goes toward the benefit of people as opposed to being direct ads about our company.
You are telling me you did it for PR reasons?? That's not even remotely believable - look at the 'PR' you are getting. This was the goal??
>donating to organizations without pause or hesitation 
Surely, you have even less of a voice where donations go than before.
>and sticking to our decisions even when the world may not understand as they aren’t deep in the battle like us.
How are they helping you stick to your decisions? You are making entirely new decisions now, and corroding your previous. Are you saying they are 'deep in the battle' like you? What?
Even if they start doing more outreach (doubt Kape helps much there but say they do) now the messages are just going to be tainted with 'yeah, dont trust those guys' comments when a user looks into it.
> ... bring freedom thru privacy to people, The coming battle against privacy and free speech
the claims you make are not only misleading but outright dangerous to anyone who actually needs strong privacy.
P.S.: you are aware that you can still go into the next pub and speak freely with verified (e.g. drinking liquor) humans, which solves by far the biggest issue with "free speech" on todays internet in the "west"
Ok, but you're a VPN provider. When I use a VPN service I am simply moving my trust from the ISP to you. This decision (as well as hiring Karpelès, convicted for fraud) lowers my trust in you.
I am on a year sub with you guys. I don't buy the marketing speak you're spewing here and I doubt I'll be renewing.
Wireguard. Stop sitting on your hands complaining about how wireguard isn't mature, and support it with the generic native apps (now there's even a (beta) windows client). The network address selection issue requires engineering effort, but wireguard itself is most likely not going to address that soon, because it's designed to be a minimal vpn codebase, so why don't you engineer a solution yourself? Or use NAT like nordvpn apparently does.
Explicit stock OpenVPN support. You kind of do this, but it's still difficult or off-putting for non-technical users to figure out which config to grab and how to install the stock client. On your setup page, make sure you're providing a link to the stock (windows) openvpn client and install instructions for Mac and major linux distros, so that people who don't trust your binary blob installer can use the generic one (minus all the fancy stuff like pretty config for auto-selection of endpoint, showing port number, DNS and kill switch things). Make sure to provide sample configs that are up to date and usable.
Nobody has to trust your software if you make it easy to use a generic client instead.
I realize Wireguard is tricky because it doesn't have ephemeral net address selection built into the protocol, but can you please just get that support done? What is your dev team doing if they're not doing that? They don't have to maintain openvpn, unless continually tweaking the custom UI is their prime focus. I'm tired of OpenVPN's instability and risk from its gigantic codebase. I don't care if wireguard has lurking bugs that make it insecure against the NSA. The NSA is not my threat model. You can support wireguard while cautioning everyone that you don't trust it as much as openvpn, and then let them make the choice based on how much they trust you, how much they trust wireguard, and how much they trust Matthew Green's audit of openvpn.
We do have explicit stock OpenVPN support.
While your adversary might not be the NSA, it’s our duty to only use battle hardened, time proven systems because as others noted, privacy can be life and death.
We aren’t going to falter on it. We never have. And we never will.
NordVPN plays fast and loose as we see by their masked headquarter location, hidden hacks, and other not so above board actions. It’s exactly what I would never want in a VPN to be clear.
Except when linux users had to use weak keys with your service, I suppose.
I'm going to go on a limb and say that the intersection between "people who don't trust the stock client" and "people who don't know about the stock openvpn client and how to set it up" is very small.
I would say the overlap is actually quite big between that. People who don't trust the PIA client would be the ones who know or are able to find alternatives. It's just that the former group is insanely small as is.
I didn't lose trust in PIA because of Kape, I lost it because your blog post was poorly written and inadequately communicated some very important news. You bury mentions of a merger in the 7th paragraph, wtf?
I can't trust PIA if you can't be trusted to clearly communicate such important information.
Maybe they aren't that, but why should anybody without personal knowledge of the situation trust that they aren't? This is the sort of scenario where 'better safe than sorry' overrules giving the benifit of the doubt.
Verification and transparency are more important than trust.
I realize your question is most likely rhetorical, but I felt the need to articulate my concerns.
You can't be sure. In the Lavabit case, Lavabit argued giving up the key protecting all their users... compromising them to the FBI... would cost them customers due to damaged reputation and privacy. The FBI argued they could do it without telling them. Then, Lavabit would still look private with no financial harm. The judge agreed.
That proposal and the judge agreeing changed how I looked at a lot of companies' claims about law enforcement. I already assumed this would happen with Patriot Act requests by FBI/NSA partnership given they'd be hit with secrecy orders. I didn't see a judge straight up telling a privacy company to defraud all of its customers. I figured the order would be more narrow than that. Now, I have a blanket recommendation to avoid U.S. for privacy tech over both secret government (Patriot Act stuff) and regular, court system.
For context: Facebook told the EU Commission they wouldn't link Facebook and WhatsApp accounts. Then they did it anyway. Sure, they got fined for it, but it's hard to believe that the fine was not factored in from the beginning.
So if they break that part of the agreement with PIA, then what? Is the merger canceled?
> 3. Zero Data – sanctity of personal data – we believe each individual owns his own data therefore we will never store or attempt to sell what does not belong to us.
Which is vague in the extreme. It does not clarify what 'personal data' means. Is my internet activity when using PIA/Kape's network still my own? Or does Kape now make a claim on this data?
If there is really a 'never log' guarantee, why is this not prominently displayed in the discussion of the merger?
But no longer. I just don't trust Kape.
We don't want people to be stuck with having to blindly believe in and trust us like other VPNs.
Don't trust. Verify.
> Client understands that the present Terms of Service are subject to changes made by PrivateInternetAccess at any time at its sole discretion, and you agree to be bound by any and all modifications, changes and/or revisions. You understand that it is your obligation to periodically review this webpage in order to account for any changes made, as they will be binding upon assent.
Such a line does not build trust, especially given Kape's history. Do you honestly expect us to constantly review the TOS? We're also not lawyers. There's no line that even suggests PIA will even attempt to inform subscribers (at least those you have emails for or through a blog post) of TOS or privacy changes.
> We don't want people to be stuck with having to blindly believe in and trust us like other VPNs.
> Don't trust. Verify.
нет доверия и нет проверки.
How do we trust? How do we verify?
That's like saying I can trust Philip Morris International and Altria that they would never downplay the carcinogenic properties of tobacco products because they are public companies.
I don't think that alone is sufficient evidence to immediately completely trust Kape, but it's worth some points in my book. And if the lawyers don't pull out any dirty laundry after a while, I'm going to assume there isn't any.
But Kape is just way too beyond the pale.
Perhaps it's unfair, but the association with Israeli intelligence, and so indirectly with NGO Group and the NSA, is just too much.
Some people whistleblow, while others develop software, and many lecture and teach people.
And most have no problems with what they saw or did, and many used the contacts and knowledge gained from that background to further their civilian careers in the field and continue to maintain those connections and shared goals therewith.
I'm not sure how that's even possible.
It's not a huge issue that Palantir is loaded with former CIA and NSA people. Except about financial issues.
But former intelligence folk running a VPN service? That makes one wonder what their goals actually are. That is, "maintain those connections and shared goals therewith".
Many don't trust the Tor Project, for just that reason.
Who at the Tor Project is a former intelligence employee?
But hey, I gotta say that Paul seems honorable. And a bloody genius, with a great sense of humor.
I'm not a harsh critic. Just prudently suspicious.
>My assertion is that companies are not automatically related to the Israeli intelligence even if their founders came from its ranks. It takes decisive contrarian proof to convince me otherwise.
Why were you so convinced that there is no association? Maybe there is, maybe there isn't, but what we _do_ know is that the CEO is an ex member.
So why use one with anything iffy about it?
However, I gotta say that it's complicated for PIA. There's past evidence of being unable to produce logs for criminal investigators. And now there's the purchase by a firm with an iffy reputation.
However, there's the possibility that said firm was exploited by malware pushers, and not intentionally pushing malware. But still, that's evidence of incompetence, which is also not a good thing for a VPN provider.
And then the CEO's association with Israeli intelligence.
So anyway, it is complicated. But it seems most prudent to wait and see.
Virtually any technology company either founded or operating in Israel has former Israeli intelligence people in its ranks. It's true for Microsoft, Google, Apple, Facebook and others.
As a VPN provider, your reputation and the trust of your customers is vital; in the spirit of transparency I would like to know:
- Change in customer churn since announcement
- Change in new customer signup
I really hope you and your team forecasted potential backlash as part of the merger with Kape and have a plan of action to recover.
VPNs are not the type of consumer product you EVER want to have acquired by ANYBODY. Not by Google, or Facebook, a US company, a Russian company, a Japanese company, NOBODY. Was this not extremely obvious when the deal started to form?
You've made a lot of promises that nothing will change, but those are empty promises given the history of post-acquired companies, as well as the vpn market as a whole. You have a lot of work to do following up on those promises, and until you do you will not have the same level of trust as you once did.
I'm not your great-grandfather, but I also didn't really know (or think of) this. I kinda always thought about VPNs as intranets. I also assumed that browsers are easy enough to hack that you don't need to do a full MITM on the entire network. I also assumed most normal people don't use VPNs.
What would the most common attack vector through a VPN be? My guess would be targeting people that use pirate streaming sites / streaming through proxy IP.
A VPN provider, however, has a captive audience and can be certain who they are attacking.
That's why I encourage these types of things to be set up as public-benefit companies, non-profits, etc chartered to do the good things and not do the bad things. At least, the obvious ones that keep recurring. General principles plus a pile of specifics as examples of them.
[1a] Slide 5 had interesting stats on PIA for anyone interested here -https://investors.kape.com/~/media/Files/K/Kape-IR/reports-a...
[2a] unikmind gets listed as Teddy Sagi on ownership reporting forms
I'm one of those people who understand the importance of reputation and integrity. One bad deal might ruin mine forever. You needed resources to expand your privacy business. Did you try and fail to partner with reputable businesses such as Mozilla, get funding from governments/foundations, etc? Did you try to get with amoral companies whose background or business wasn't harmful to privacy? And, after that, settle for the one company that was interested which could damage your brand?
I have a feeling you didn't since I'm sure there's plenty of companies, non-profits, or cooperatives that might have worked with you who don't have that background. Although I can't prove that, I see investments and partnerships all the time with organizations that raise less eyebrows. That you went with that company will undermine trust.
I'm no longer recommending PIA. I do appreciate that, before this change, your company went as far as defending its users' rights when FBI was after them. I'll still give you credit for that.
Edit re hiring security people: You also keep justifying hiring con men for second chances or doing business with intelligence assets like there were no other alternatives. I've met all kinds of security professionals and cryptographic researchers who haven't taken malicious contracts or damaged others [that I'm aware of]. Quite a few have turned down work because they're ideologically opposed to it or just don't harm others. I'm one of those. So, my next bit of skepticism is that you really couldn't find anyone better than folks like Karpeles. You could've asked here or at Black Hat and probably got a ton of candidates who might be more trustworthy with your customers' privacy.
Mark is a good man and a great developer who fought on the front lines and I’ve known for a long time.
I’m not comfortable blindly trusting a random person I meet at a conference with our users’ privacy. You really don’t know who is a current spook, or spy, or worse.
Lastly, to put this to bed in a way that only developers and those that understand could appreciate (like you), we severely limit the people who have infrastructure access as we practice defense in depth, and Mark isn’t one of them.
He stole more money from me than I make in a year. There's surely plenty of other people in this very thread who he also cost dearly because of his callous disregard for our money. He knew the whole time that MtGox was insolvent and he used my cash, everyone's cash, as a giant slush fund. He had no problem pocketing that cash and paying himself a comfy salary knowing full well that he had tons of customers who made the mistake of trusting him with their money and he already lost it. Not to mention trying to make off with the domain and data from his old employer and then after they revoked the domain transfer that Mark fraudulently made he tried to extort it out of them. https://www.documentcloud.org/documents/1227216-karpeles-eng...
>and a great developer
We know exactly what kind of developer Mark is. MtGox didn't even use any form of version control. We have leaked copies of Mark's handiwork and it's absolutely horrifying that someone with his lack of talent was managing hundreds of millions of dollars worth of money. https://github.com/mtgoxleaker/mtgoxphp/blob/90822722620407e...
We're talking about the guy whose legal defense was that he was just incompetent and not malicious. He quite literally just completely forgot about a cold wallet filled with what was at the time worth well over 100 million dollars. No reasonable person would ever conclude that Mark is "a great developer".
I'd be much more comfortable trusting some rando from Defcon than a serial con man that has done nothing but lie and defraud customers and employers for well over a decade. And he's woefully incompetent to boot. Hiring Mark Karpeles as CTO is nothing but bald faced nepotism.
You would be surprised to find that “non profit” doesn’t always mean “for the public good.”
As for others that were willing to partner with us, they wouldn’t sign a no log pact so I had no interest to work with them. It’s shocking how many private VPNs are shadily logging and/or selling your data.
Like every service I use, I plan to take into account what I learn about them and then watch and see what they do.
How do management's economic incentives change through this deal? How much are you cashing out now versus riding into the combined entity?
Hacker News, we won’t let you down.
What does that even mean?
As for VPNs, you have been mainstream.
There was no other VPN service more recommended on reddit. Even here you've made a relevant impact on recommendations.
How does that not provide enough funds? What have you done with all that money and why exactly do you need more?
And I do want to "trust" (as much as I ever do) PIA. It's one of the few that's actually been tested by criminal investigation of a user. And it did, in fact, retain no logs.
I've also been impressed by London Trust Media projects. And I appreciate that increased resources are a good thing.
So anyway, I do wish y'all well.
correct. Focusing on the founder's alleged ties is a distraction. The real story story is "all VPN's are snake oil". The fact that he peddles this should really stand for itself (regardless of his backstory).
Unfortunately for PIA, Kape has done nothing to gain my trust and has done multiple things to erode it. This is an uphill battle for PIA.
Regardless of how they’ve changed, the internet never forgets and it’s incredible no one involved considered the optics of selling a VPN company to a company associated with malware.
IMO you’re likely 100% above board here and they’re a reformed company, but it doesn’t matter. It looks bad.
Where's the link to the GitHub repo?
You are proven liars.
(Thanks for the flag, doesn't change the facts, prove me wrong ;) )
It was from 1995 to 1998 (that's 20 years ago now) before he was at University and is the first item in his work experience. And the length of the position is about the same as military service. I do not know his current age.
I stopped using them because I could stop supporting IE but they had a real product back then.
Teddy Sagi is bad for other (gambling related) reasons - but he is just an investor...
Also calling every one who ever served in 8200 an Israeli spy is ridiculous. Military service is mandatory in Israel. Lots of kids serve in 8200 because they get assigned there for their affinity for math and computers. Most of them do menial Ops tasks, I interview them occasionally for junior positions.
Here are some Israel startups founded by "spies": ICQ, CheckPoint, Wix ...
To answer your other question - Sagi is 48, and one of Israel's most successful technology investors.
I'm looking at Mullvad and NordVPN. I know Nord had a MITM attack on a Finnish datacenter a few months ago and didn't immediately notify affected users. I'm having trouble understanding what it says about Nord's culture and likely behavior in the future. On a technical level, it's pretty bad when users of a VPN like this can be MITM'd. Blaming the datacenter's remote admin tools doesn't help me as a user because the same thing could happen again. I know they have a bug bounty program and audits now, but still I'm concerned that they didn't notify people which might indicate a cultural problem.
How would Nord handle a problem like this in the future, and can we still trust them?
They are seemingly sketchily using "residential proxies" at least for Disney+. These proxies seem to be coming from their customers, or customers of a company NordVPN is closely tied to - likely without their knowledge.
It's just that one wonders whether the people whose devices are being used as proxies are aware of the situation.
When your business is privacy and trust, any acquisition is problematic. Let alone an acquisition from a company with a similar track record.
They're among the oldest VPN services. Not as old as Cryptohippie, but almost.
Personally I'm using Mullvad atm. For windows I use their client, but you can also download configuration files for wireguard if you want to do that.
Also, using a private VPN proxy, you're the only user. So there's even less anonymity than using a VPN service.
The safest bet is arguably Tor. Although the connection to the US government is troubling. And then there's the issue that many sites block Tor users with difficult or impossible CAPTCHAs.
Using nested VPN chains is a reasonable compromise. It's much faster than Tor, and you don't need to trust any one VPN provider.
Tor is not operated by the US government; it's founded by them and partly funded by them. One reason is certainly to spy on Tor users; another reason is so that their own spies have anonymous internet access to exfiltrate stolen information; a third reason is to enable political dissidents in countries like Australia with onerous censorship regimes to access uncensored information.
If you want to use a nested VPN chain that isn't Tor, how do you authenticate to the last provider in the chain, the one that knows which website you're connecting to? Are you using a VPN provider that you pay in ZCash? Or do they allow anyone to use their server without paying, like a Tor exit?
All other VPNs in my chains, I pay with Bitcoin that's been mixed multiple times. I have a bunch of Whonix instances that I use for mixing and storing Bitcoin. They all hit Tor through nested VPN chains.
Each one has an Electrum wallet. It gets its Bitcoin from another Whonix instance through a mixing service. In any given mixing chain, I use a different mixing service for each step.
So then, generally, VPNs that I use less directly get paid with Bitcoin that's been mixed more times. And I never use the same Bitcoin wallet to pay for VPNs at different "levels".
Edit: You say:
> But many people already trust Amazon with ...
I trust Amazon with all those things. As my meatspace identity.
But I wouldn't trust them with information that associates my meatspace identity with Mirimir.
Those are all relatively old, compared to mainstream VPN services. So there's been more time for bad news to come out.
I've also used older ones, such as Cryptohippie and Rayservers. They're among the first OpenVPN-based services. Cryptohippie used to be quite expensive, with a ~low usage limit. But now its price is comparable to many others, and I don't see a usage cap. It's not as fast as many others, but arguably far better secured against adversaries.
Rayservers is extremely old school. They only accept gold-based electronic currencies (Truledger and Loom). Those are pre-Bitcoin. I'm not sure whether they still work.
There are others that I use. But I'm not going to talk about them.
But Amazon, less so. Because they're totally profit driven. And wouldn't think twice before pwning me.
I want to remain pseudonymous. Basically so I don't need to worry about damaging my meatspace reputation.
And what would be the point of going to all that trouble, if I were going to compromise myself?
You've answered that, but it definitely seems a lot of effort to go to.
It was lots of effort. Some years ago. Mostly in learning how to do it.
But now it's only maintenance.
Not much more than maintaining my perimeter router.
And an expression of my commitment to privacy, freedom, etc.
Connecting to your own VPN on a VPS is miles better than a retail VPN service, but even for that I wonder what threat model it serves.
• You can ban outgoing unencrypted network traffic without a VPN (a VPN doesn't solve this either btw).
• You can use DNS-over-TLS without a VPN; that solves a big part of traffic analysis.
• If you only have one VPS and only ever connect through that one tunnel, all you accomplished was moving your effective IP to another place. Oh, and you added an extra counterparty in the middle.
The utility of VPNs is, almost as a dumb proxy, to patch malicious/missing functionality from your first-party connection, e.g.: you live in a country that bans IP ranges outside of its borders, your ISP bans BitTorrent traffic, or your ISP is more cooperative with LEO than your VPN provider is. This has nothing to do with anonymization. The VPN or VPS knows who you are.
It's a confusion between privacy and anonymity.
"Drug dealer post" with ProtonMail response: https://www.reddit.com/r/ProtonMail/comments/dd5dkk/warning_...
Search for "court order" on ProtonMail subreddit: https://www.reddit.com/r/ProtonMail/search/?q=court%20order&...
Payment options: https://protonvpn.com/support/payment-options/
One thing I liked about PIA’s app is the kill switch function that prevents internet connection if you’re not on the vpn. Does that happen by default when I have wireguard enabled?
I use this in a place I don’t trust and need to make sure it doesn’t accidentally connect “raw”.
Another nice PIA feature is the ability to check server speed. Any way to know which of mullvad’s servers is the best bet?
I’m using ExpressVPN and while they cost more (as much as 3 times as these budget services) they so far seem to offer a fast product.
You can also sign up with crypto currency if you want.
But can you renew with Bitcoin etc?
But I do recall, in the past, renewing ExpressVPN with Bitcoin.
Mullvad's policies and account creation process demonstrate an awareness and commitment to privacy as a number one priority. Yes, at the end of the day, none of us really knows what a VPN service is doing on the back end, but the fact that they have detailed public information about their operations, as well as additional privacy options such as paying with cash/crypto, is a good sign. Other little things, such as supporting WireGuard and running their own Bitcoin nodes instead of relying on third party services for crypto payments, are also good signs that their team has above average technical chops compared to other providers.
Private Internet Access is very profitable  and our new partner’s action of merging with PIA speaks louder than words whether privacy is important to them.
 https://investors.kape.com/~/media/Files/K/Kape-IR/reports-a... (Slide 5)
I think the critical thing you're missing here is that it doesn't matter if Kape is trustworthy, it matters whether people see it as trustworthy. And you're not in a position to change the latter, no matter how much you talk about the former, because you have a conflict of interest.
The other thing is, you need to be able to explain the merger.
If PIA wasn't profitable, the merger looks bad, because that means that Kape is going to find other ways to monetize it.
If PIA was profitable, the merger is just confusing as heck, because why screw up a good thing? And confusion is bad, because people want security from a VPN. Not the computer kind, the emotional kind. Big upheavals like mergers throw that out the window, so you need to manage that transition very, very carefully.
You're not doing that, so far.
That being said, if the company was profitable, why even entertain this merger? I simply don't see how getting into bed with a company with such a sordid past is worth it if you were able to make it on your own.
VPNs are mainly for piracy and it’s only a matter of time until big media takes a shot at suing someone. No one wants to be that someone, so selling to anyone becomes attractive. I doubt there’s a lineup to buy a company who’s main talent is under assessing risk.
It seems pretty plain to me; Mullvad's website even has the relevant section on Swedish legislation that requires it for national defense.
I just don't see how trust in a provider has any bearing whatsoever on the privacy of the connection they provide; they can't do anything whatsoever to stop (or even detect) governments from logging all of the data that comes into or out of their networks.
A VPN is useful in settings where you're dealing with a malicious ISP (for instance, ones that hijack unencrypted HTTP sessions to inject their own HTML) or any untrustworthy third party network. Do I trust my VPN provider more than my ISP? Yes. Do I trust my VPN provider unconditionally? No. That's what end-to-end encryption is for.