It might be that PIA is not going to start doing anything shady, and they'll still be a (relatively) well-respected VPN company after the merger. But if you're currently a PIA user, it would be foolish to keep using them while you're waiting for them to prove that. Cancel PIA for now, and if a year from now they're still on the level, you can make a more informed decision about whether or not to go back.
There's no reason for you personally to be the canary in the coal mine, just use someone else while you're waiting to see what happens.
I advocate somewhat strongly for paid 3rd-party VPNs, not because I think they're great, but because I think they are sometimes the least-bad option -- 3rd party VPNs address privacy problems that self-hosted VPNs can't, and unlike Tor, VPNs actually scale well for regular Internet browsing.
I do however fully acknowledge that shifting trust can be dangerous, so I recommend people be willing to quickly jump ship between VPNs, and possibly use different VPNs for different services. You should be a little nervous around your VPN provider, and you should hold them to really high standards.
In PIA's case, I notice looking at their pricing page that they offer 1-2 year plans in addition to monthly plans. Not everyone has the money to ignore deals, but if you do have the money, paying an extra $35-40 a year so just so you can easily switch VPNs on a whim is probably worth it. In general, for services that can pivot in quality quickly (like a VPN) it is usually worth paying monthly rather than yearly (again, assuming you have the extra money to do so).
> I advocate somewhat strongly for paid 3rd-party VPNs, not because I think they're great, but because I think they are sometimes the least-bad option -- 3rd party VPNs address privacy problems that self-hosted VPNs can't
Well said. I would add that they're also useful in situations where you don't care about privacy at all. E.g. you don't care if your ISP logs that you're watching Netflix, you don't care if your VPN logs that you're watching Netflix, but you (and to some extent Netflix) have an interest in making it seem like your computer is located in a different country than it is.
Region-shifting and preventing non-government adversaries from discovering your real identity from your IP address are both valid reasons to use a commercial VPN. I suppose the reason why those who oppose commercial VPNs discount these two is that they're mostly used for IP infringement.
> But if you're currently a PIA user, it would be foolish to keep using them while you're waiting for them to prove that. Cancel PIA for now, and if a year from now they're still on the level, you can make a more informed decision about whether or not to go back.
how will they prove it in a year?
and what threat is it you think the shady guys are going to pose? they'll start spending more money to keep logs? i guess they could get in bed with law enforcement but i doubt that pays well. maybe the RIAA/MPAA will pay them off?
Logging data costs money, but selling data earns money. Also, if the parent company is known for malware then getting mitm-attacked by your VPN sounds like an actual risk if you have any unencrypted traffic passing through it.
Would you be alright if a VPN profiled and sold your browsing habits, engaging in very traditional, even benign business model similar to what everyone else is (e.g. credit cards, etc) doing -- but with the knack of keeping your real identity strictly anonymous and detached from these activities?
In other words, would you be alright if the VPN built a profile of your VPN identity? The corollary, I think, asks if you're interested in a VPN to separate your activities, or to thoroughly diffuse them for actual information loss.
So what’re the recommendations for alternatives? It seems like quite a lot of VPNs play their cards close to the vest - and at the end of the day, all I want is a modicum of privacy and to safely torrent a movie for my PLEX server instead of having to dig up my Blu-ray reader and rip it myself once in a while.
I can't give you a checklist for how you should determine who you trust -- that's one of the reasons why I don't advocate for or endorse any particular VPN, and one of the reasons why I don't disclose which VPN providers I use. The difficulty of determining which VPNs to trust is why I call them a "least-bad solution" rather than a "good solution."
There are a few other people on this post who are recommending specific VPNs, and you can (and should) look through some of their justifications for why they like their providers. A couple of things you can look into if you want to know where to start:
- What technologies are they using, contributing to, etc? Do they have a good rapport with Open Source communities?
- Do they support OpenVPN/wireguard? I advocate against using a custom VPN client, I don't want my provider to ever touch my computer, only my traffic.
- What's their privacy policy look like? Do they make public commitments to destroy logs? Are their claims on-their-face absurd? There's no such thing as a VPN that does zero logging at all, so if someone is claiming perfect anonymity, I distrust them from the get-go.
- Have they had data breaches in the past (for example, NordVPN)?
- Are there any high-profile cases of them refusing to provide logs to someone?
- What country are they located in? Depending on the country, a foreign VPN can complicate collusion efforts.
- Do they pay for ads, and how do they advertise? Do they make inaccurate guarantees about what a VPN can and can't do? A VPN isn't going to protect you from the police, and a VPN on its own will not make you private, so I distrust companies that make those claims.
- Do they seem competent? Do they have instructions on how to deal with things like DNS leaks, or how to set up killswitches?
That's not an exhaustive list. It is absolutely a pain to determine trust -- this is the biggest problem with 3rd-party VPNs. Don't go crazy with it; a VPN is just one layer in your privacy setup, so it's OK to have something imperfect. Don't aim for perfect privacy, aim for "better than what I currently have."
You come off rather imperious in your comments here. Between the number of "I" self-references in your first post, to this saccharine checklist that is more show-off than informative.
As usual, I think the reaction of PIA's corporate restructuring is a lot of hot air over nothing. Typical of most hot air, it is released to draw attention to the source and not convey any real concern.
People should be really careful before they jump to a VPN provider. The amount of data transmitted over the connection and exposed to the VPN as an intermediary is grossly underestimated. The only real explanation for so many iffy VPN providers popping up over the last few years is that they're mining the data for something, whether its selling analytics, setting up a honeypot, manipulating traffic/piggybacking on VPN users as a botnet (cf. Hola), or whatever.
That said, if you really need a third-party VPN, FoxyProxy's branded VPN service available through https://getfoxyproxy.org is probably pretty good odds. I've never used personally so I can't vouch all the way, but it's supporting an open-source project by someone who seems to really care about his users and has put more than a decade into supporting a great extension, so that puts it far ahead of most of 'em from the get-go.
If we're talking spending extra for switching flexibility, just abandoning PIA midway through your year-long subscription term and writing off whatever you paid, works too.
Streaming, downloading multi-GB files like games or HD movies, playing games online while avoiding (at least some) latency, uploading content or hosting your own file-sharing servers.
It's not just a speed problem. Within the Tor community I personally still see a lot of people saying that behaviors like these are selfish because they take up too many volunteer resources. Maybe it's a little unfair of me, maybe those people are misinformed -- but I interpret that as meaning that the community doesn't think Tor can scale to meet those demands.
With either a 3rd-party or a self-hosted VPN, you can reroute literally all of your network traffic from all of your devices without giving it any thought, and the only time you'll really need to get off is if you're accessing a blocked website or doing something that demands very low latency.
IMO defining all of those things as "regular usage" is problematic.
In regards to your specific list, that's above average internet user, in which case I think a better solution is diversifying your network connection methods. Trying to use one tool for that entire range of traffic centralizes it needlessly, and you'll get more effective privacy by avoiding that.
Furthermore, if you want more speed out of tor I'd argue step one is running a node and contributing and/or donating at least.
Unless this has changed in the last few years, anyone can set up an exit node on Tor and begin proxying your traffic. It's just a switch in the config.
The risk profile is somewhat lower now that HTTPS is prevalent, but it's still unnecessarily exposing at least one side of the conversation to literally anyone. Most of the time, you're better off just using your ordinary connection -- then you at least know that it's $LOCAL_TELCO sniffing the packets.
Tor is excellent and it has uses, but I've had to explain to many people over the years that day-to-day browsing like checking email, checking bank accounts, etc., is far less safe through Tor than through a direct connection (at least for people in the US -- if you're using Tor for its intended purpose of thwarting oppressive regimes, crossing your fingers on the exit node lottery is probably preferable).
I don't really understand your point. I think most people would agree that TLS ought to be considered baseline, as sites are often (even in this thread) ridiculed harshly on HN for NOT using TLS.
>The risk profile is somewhat lower now that HTTPS is prevalent, but it's still unnecessarily exposing at least one side of the conversation to literally anyone. Most of the time, you're better off just using your ordinary connection
I think this is simply wrong, and lacks any threat model at all. Why do you care that encrypted bits can be sniffed by an exit node? The node can't even determine the 2nd hop, much less the origin.
> The node can't even determine the 2nd hop, much less the origin.
The point is that users should be cautious about what they do over Tor because exit nodes can eavesdrop on (and potentially manipulate) the conversation.
The onion mechanism isn't relevant here. It prevents peers from identifying each other within the onion, but it doesn't do anything to prevent the exit node from accessing the raw packets involved in the conversation -- indeed, the exit node must access those packets to proxy them. It's true that some of the traffic will be protected via HTTPS, but even encrypted packets can be made useful in various ways.
The reality is that you're introducing a random computer into your network path and that you're trusting that computer to proxy your connection without a) eavesdropping; or b) modifying contents. The prevalence of HTTPS may or may not be sufficient mitigation for some, but any analysis of the propriety of Tor to access non-onion sites is fundamentally incomplete if it doesn't acknowledge, contemplate, and address the implications of inviting a random computer to MITM the connection (as the Tor FAQ has done for at least the last 10 years: https://2019.www.torproject.org/docs/faq.html.en#CanExitNode...).
>The point is that users should be cautious about what they do over Tor because exit nodes can eavesdrop on (and potentially manipulate) the conversation.
No, they can't. Unless you don't use TLS...which is addressed in the FAQ you linked. Who is it that can break TLS that you're concerned about? Again, without threat modeling this is all lacking a lot of context and purpose.
HTTPS doesn't change the attack surface, it's just assumed to make it inaccessible. The exit node is still in the middle, and they absolutely can still listen.
TLS will probably defeat script kiddies that are just after the "thrill" of voyeurism, but more advanced operators will make use of the attack surface you're offering them, even if they aren't ever able to decrypt the payloads (not necessarily a guarantee). There's lots of room to analyze and manipulate encrypted HTTPS traffic in interesting ways (SNI, non-secure cookies probably good starting points).
TLS depends on correct configuration on both the client and server-side to be effective (and an interested proxy could try to modify the handshake to downgrade the connection's security). Whole versions of SSL/TLS have been deprecated after fundamental flaws were discovered; things like Heartbleed, POODLE, and Debian's low-entropy key debacle were all real things that made TLS much less secure than expected. An exit node operator that knew about these flaws prior to disclosure could've been having a heyday while users just said "Welp if I use HTTPS Everywhere it'll be fine".
Even without bugs, when TLS is ostensibly working completely properly, the trust model is frequently hijacked. See the CACert wiki [0] for a list of several dozen well-known attacks on CAs, many of which allowed imposters -- on multiple occasions state-level actors -- to issue fake certificates for specific domains, which a malicious exit node could inject.
The incontrovertible point is that using exit nodes exposes some prime attack surface to literally anyone, and yes, that's still attack surface, even if you're 1000% sure that your encryption is so super-duper strong that literally no one will ever be able to break it.
The exposure is real, the risk is real even if not necessarily always immediate, and it needs to be considered along with the other factors. Any risk analysis that involves accessing clearnet resources via Tor exit nodes should contemplate this.
You're clearly not a novice in this domain, but I'm having difficulty understanding your assessment without any sort of threat model.
The risks you're detailing are likely insignificant for 99% of users right now. Using TOR doesn't imply a specific threat model, and that notion weakens tor security and anonymity as a whole.
Fully agree with all of the above. I've been a happy customer of PIA's for years now and, as such, they've built up relatively solid trust with me (for a third-party VPN company). Even still, I only renewed only a yearly basis because a) things in tech, especially security, change quickly and b) companies also change quickly and like today, that change can be greatly for the worst.
I can't personally understand buying in to such a service for a timespan measured in years.
Yes. He advocates for third party VPNs, but PIA was acquired by a shady company, so not them anymore, because there’s now a reason to distrust them specifically.
PIA meets 100% of the criteria outlined in that post however with no discussion of how to determine or measure additional criteria like future possible bad behavior based on corporate ownership, which was the genesis of the whole thread.
Ostensibly the "paid" portion of the criteria is a proxy for incentive to not do shady things like show ads or distribute malware.
20 months later, PIA open sourced its iOS app, older versions of its browser extensions, and 2 Swift libraries. Everything else is still closed source.
Thanks for bringing this up commoner and really appreciate your patience. You are absolutely right that we are open sourcing our software - there were some delays as we completely rewrote our desktop application from scratch.
This was a major concern from our new partners as well, as they have been asking us to release the code as well - we are all on the same page here.
While I can’t give an exact date, I’m confident that the rest of the code will be released in 2 weeks or less. Along with our QT/CPP cross platform application, we will also be open sourcing our search engine, private.sh!
Hope this helps and sorry again for the delay,
Andrew
Usually, Subreddits are created by fans of the service. This is the first time I'm noticing a complete corporate subreddit. All the moderators are the staff of PIA. [1]
It will be interesting to see how much they accept criticisms on the subreddit about PIA.
The Go language subreddit had been modded by Google employees. They lost interest and decided to shut it down and there was a bunch of hubbub. In the end they thankfully decided to give the subreddit to the community.
Please Don't
...
Take moderation positions in a community where your profession, employment, or biases
could pose a direct conflict of interest to the neutral and user driven nature of reddit.
> Reddiquette is an informal expression of the values of many redditors, as written by redditors themselve
But I guess it makes sense for Reddit to move away from that rule. That's how you get big campaigns with companies like Adobe. Not by taking away their sub-reddits.
Personally I think I even prefer that though. Better than having heavily biased "community moderators", which is the case in way too many sub-reddits.
I seem to recall the "League of Legends" subreddit having a meltdown when its mods were found to be simply compromised by the company, rather than employed by it
Reddit was not happy with the r/Blizzard mods during the blitzchung thing.
Redditors are basically never happy with anything. Their ideal world is some place with no rules except that everyone else is forced to read their comments. Unfortunately, such a place does not exist.
Most forums on the internet are like that and it’s not exactly unexpected because people who care about writing something in an Internet forum will also be pedantic about what they want. This forum is no exception (you can pretty much see this in action whenever electron is mentioned)
Many people try to reduce complex multi-variate situations into simple variable situations and then lambast people on other forums if their chosen variable turns out to be different.
I just saw an example of this last week in mobilereads forum. Unhappy with iBooks and the kindle apps I’ve been reliant on Marvin for quite a time. But the dev has vanished from the scene for last 2 years. I just investigated if creating a commercial replacement would be a good idea but good god, the one forum where people have been talking about Marvin can have extremely ultra specific needs for a very unreasonable price expectation. After reading that forum I’m not exactly surprised that the dev chose to abandon the goal post.
Happens a few times. For the Endless Space/Legends series of games, we made their community manager a mod (they are essentially running the subs, but don’t have founder status and technically we could intervene if they behave in questionable way). It usually depends on who created the sub. Some of them are set up as official channels, others are community-run but with good relationship with the company (an example for the latter would be the paradox subreddits, they are independent but have a good relationship with Paradox).
Alberto Contador initially won Tour de France in 2010, but tested positive for traces of clenbuterol. He blamed it on meat he had been eating. It has become a meme in cycling circles.
Whether critical or loving, we really appreciate any and all feedback from our users and the community. We accept all criticism with open arms and, furthermore, will not be censoring our subreddit as that would undermine free speech - the very thing we are fighting for.
"Heavily moderated" does it a huge disservice. The narrative is controlled, with any dissenting opinions removed and accounts banned. The sub is completely censored, see for example:
Except that all Blockstream projects are not only allowed, but promoted on r/bitcoin. If the subs own rules were followed they should be banned.
For example how Liquid, a centralized sidechain that goes against the idea of cryptocurrencies, is promoted as a "solution" to many of Bitcoins problems. But any critique of it is banned.
It's obvious that the mods are somehow associated with Blockstream. Only a Blockstream employee such as yourself would disagree.
In fact, r/btc is controlled by for-profit entity (bitcoin,com which has little to nothing to do with Bitcoin the project) and has advertisements blasted all over the subreddit page.
It is the furthest thing from a lie and can be verified by anyone who wants to try posting to both subreddits. Anyone can also go to a site that shows deleted comments and see the discussions that get deleted on /r/bitcoin.
That's an obvious lie, people payed by blockstream directly or indirectly have been in control of the sub for years, deleting any thread or comment that contradicts the narrative they want to push.
This is a well worn topic and I think you know that. Surely you realize that anyone can google bockstream takeover on reddit, but are counting on people not doing research.
This is meant for people who aren't familiar with the takeover of the Bitcoin GitHub and subreddit. /r/bitcoin deletes anything that goes against blockstream's narrative while /r/btc is an open discussion. /r/btc is constantly trolled with full on lies.
The effort is all to keep Bitcoin constrained to never increase its throughout so that people will be forced to use blockstream's awkward and unnecessary layer in top. This is why all the original developers and more were replaced with people funded by blockstream. While there are many contributors listed on GitHub there is very little development allowed to be merged from outsiders.
If anyone doubts this, go try to have a discussion of increasing the block size on /r/Bitcoin and see how fast your comments are deleted or your account banned. Make sure to look at it without your main account. At best they will tell you it is impossible even though many other cryptocurrencies have done it with no problems (and anyone can see that the resource usage is tiny). These things can be independently verified.
It's easy to check the sidebar. There are links to bitcoin.com and a bunch of others as well.
> Most of the mods are employees of Bitcoin,com.
Funny, how you're the one quite literally lying. It's called psychological projection.
Of course, the Blockstream propaganda is what destroyed r/bitcoin, and it's quite common here on hacker news as well. Just look at who's writing the comment...
I lost faith in PIA caring about privacy of its customers when I noticed how they use unique tracking codes in their newsletter emails. I never received a response when I asked about it.
Just about every single one of the email newsletters you receive from anyone does this. It's for tracking clicks to links in an email, opens of an email, etc.
Not apologizing for PIA - They definitely shouldn't be doing it if they're trying to advocate for privacy. But just stating it's extremely common practice and the default for most email services. I use it on my e-commerce websites so that I can send specific emails to people who have viewed a certain page, abandoned checkouts, opened a certain email but didn't convert, etc.
We had an issue with PIA's Android VPN breaking our app, they never responded to our PGP'ed ticket and the email address embedded in their PGP keyblock bounces.
Thank you for bringing this to our attention mehhh. I will get into this PGP bouncing issue immediately. In the meantime, please feel free to contact me with PGP - my public key is pasted below and you can mail me at a at londontrustmedia.com:
Freenode is a non profit organization that benefits from support from Private Internet. It is not owned by Private Internet. We are serious fans of IRC and the open source community, so it makes sense for us to divert profits to orgs like freenode among others.
You are just plain wrong. They’re both owned by the newly formed “Imperial Family Companies” and they both show up under the portfolio, along with the rest of the brands that used to be part of LTM.
Any recommendations? This looks bad really bad. Cybergoast a previous VPN bought by Kape went to shit.
For the Pia engineer who ends up reading this.
I have bin a Pia user for 5+ years. I have recommended it to friends and family. Now I have to tell them all to cancel.
Seconded. It's Mullvad, tho, not Mulvad ;)
I have been a customer since a while and cannot complain. They support wireguard, which is nice, and of course plain OpenVPN connections, but offer apps for various platforms too. They do not pay for reviews, which is nice (and quite telling that other do), they are own by to Swedish guys. Their price is a €5/month (for simultaneous 5 VPN connections, no data caps) and you can pay in cash* or bitcoin if you want.
And no, I am not paid or otherwise compensated to write this, or affiliated with them other then being a customer.
[*] They even say: "Please avoid writing your name or address on the envelope."
Do they take any other cryptocurrencies, or would I have to convert some other coin into bitcoin to pay them?
OpenVPN is nice, since my OpenWRT router can be a client.
EDIT: I emailed Mullvad and received a reply within 15 minutes! and it answered my questions accurately! I think they win the customer service award for today :D
Hard to believe any VPN company provides serious protection from the American government. In the highly unlikely event that the company won't cooperate they can just comprise you outside that channel. See everyone who thought Tor was enough to evade the US government.
I trust Mozilla to not cooperate with anyone less powerful than Uncle Sam which is a lot more than most shady fly-by-night VPN operators.
If you're using your VPN as protection against your ISP, wifi provider (internet Cafe, school, workplace, home), or some other MITM you're better off with a service run by a serious company, with a lot to lose from a scandal and a long track record of not lying and being technically competent.
If you're looking to hide your browsing from the US government you should a) give up or b) definitely not use a commercial VPN.
NordVPN is a security nightmare. I usually recommend either Mullvad or TunnelBear depending on whether you care more about quality of service or ease of use.
The problem with NordVPN isn't that they had a breach and their keys were leaked (ok, well that is huge fucking problem) due to a forgotten KVM but that they didn't fess up till 18 months later when some independent researcher brought that to light.
Given all the shilling and backstabbing in the online VPN recommendation industry, it’s hard to trust any advice now, not even comments here. God knows who’s a shill.
But those geoblocks and the occasional need to anonymize activities... Really hard to solve. (I know Tor. Tor is too damn slow.)
Actually, far worse than the shills are the cancelling virtue signallers who have nothing better to do than 1) quit a service because someone tells them to; 2) go running to that forum looking for approval by telling them "I cancelled!"
In the UK you can buy a "travel card" with cash at any Post Office counter, they are just regular MasterCard cards and can be used like any other debit card, including online purchases. They are even reloadable and contactless too.
I don't recommend ProtonVPN - tried it and if you're torrenting they throttle you to 20Mbps. Shady past connection to NordVPN / Tesonet also a concern.
Paid "Plus" plan and connecting to their dedicated P2P servers in Switzerland and Sweden. Definitely getting throttled by them to ~20Mbps while torrenting. Tried a competitor VPN - no throttling, torrenting at full speed. Glad I only paid for a month - they won't be seeing any more of my money once the month's up.
I can vouch for Mullvad. They don't do paid promotions like Nord or Express and enjoy a fairly good reputation. You can actually even pay them cash by mailing a fiver to Sweden with your account number on a note lol.
That's another plus. You don't actually have to register an account with them, but instead their website generates a random number for you that you use to log in. All in all they appear to be very transparent.
I love this one: https://airvpn.org/ "A VPN based on OpenVPN and operated by activists and hacktivists in defence of net neutrality, privacy and against censorship."
This is the problem with several privacy companies and one that we don’t take lightly. At Private Internet, we are heavily focused on research and, specifically, have been focused on creating service architectures that limit or remove the need for trust altogether. That is what Zero Trust and Zero Access are about, and it’s the only direction we are heading. That’s why, for example, we launched private.sh, a search engine that you don’t need to trust.
That being said I do want to mention, most VPN companies won’t sign a binding agreement not to log - whereas our partners at KAPE signed an entire binding mission statement which you can find here:
It doesn't seem very trustworthy when the whole page talks about how much they value privacy, then the video at the bottom of the page requires you to enter an email address to watch it.
A business dedicated to privacy is completely incompetent if they can’t even use HTTPS.
I cancelled my sub minutes after learning about the news. I would hope the PIA engineer can see through what buyout propaganda they are being fed and see the writing on the wall.
Friendly reminder: Azure and AWS both offer a free tier of VM which are perfectly sufficient for a personal openVPN server. Azure even has a preconfigured option in their marketplace that's easy to set up in a legal jurisdiction of your choice.
Probably so does AWS and even DigitalOcean, but I'm most familiar with Azure because of my own preference for open source (Azure's orchestrator is
https://github.com/microsoft/service-fabric/). After the free year, a minimal always-on VM costs about $13/mo.
Second, you don't just want to prevent MITM, you (hopefully) also care about site's tracking you. For example, you have a Linux/Firefox user-agent and you are browsing HN in private mode, you close the window and start over. No cookies or other artifacts of the previous session remains but your user-agent and IP combibation is unique enough to identify your device. Now if you are using a VPN service there might be at least a handful of Linux/Firefox users out of millions that share the same IP.
Third, most VPN users like the geoip flexibility it allows them (bypass filtering or access different content).
Fourth, a VPS dedicated to this one service means you are now the admin of one more server that needs to be patched and supported by you (admin overhead)
Fivth, some sites block you if you use cloud provider IPs
Sixth, some VPN providers specifically host their infra in privacy friendly jurisdictions and take precautions cloud/vps providers might not (legally and technically).
Seventh, reputation. No one will bat an eye if Microsoft let some country's law enforcement have logs of your traffic in Azure. But by design, outbound VPN traffic can only be logged on the VPN server and it would ruin their reputation if they disclosed logs or tampered with traffic which translates to monetary loss.
VPN services are far from perfect but they hardly have any replacement. Just pick one with a good reputation.
For example with PIA, they are incorporated in the great surveillance kingdom of the UK, which is why I avoided them. They did not take the neccessary legal precautions and their freenode aquisition made little sense from a profit perspective which all in all suggests a grand scheme/vision not obvious to customers.
It depends on your threat model. If you're worried about threats below the level of major nation-states a big company could make more sense. If for example a VPN company was caught bundling malware with their VPN client they would be over, but their owners would loose much less than Google would under the same circumstances.
Google will cooperate with big governments, but you can be confident they aren't owned by the Russian mafia.
If you're dealing with nation states, all the big cloud providers have NSA presence in their network. Even without that,secret warrants are a thing and VPS providers rent datacenters from someone else ,that someone else (azure,hetzner,ovh,etc...) also rents out infra to VPN providers. The only differrence is VPN providets sell VPN while VPS providers let you access the whole vm.
The only differnce is how a VPN provider can be incompetent or malicious. It is less likely for MS to be incompetent but so long as the nation state is a western nation,they are more likely to be malicious.
I guess it does depend on your threat model but I would say for most people who don't have specific threat in mind they should exclude highly sophisticated attackers much like how you don't secure your housr against sophisticated bank robbers that might pull a heist on you.
> The only differnce is how a VPN provider can be incompetent or malicious.
Agree completely
> It is less likely for MS to be incompetent but so long as the nation state is a western nation,they are more likely to be malicious.
Yes, but as I argued in the comment you replied to the difference in maliciousness is effictively infinitesimal because the govt can get access to any VPN provider.
There are different factors to consider,even if Microsoft intentionally infected people with ruddiam malware, at worst they get a fine and bad PR with tech circles -- their cash cows windows and azure remain unaffected. With a VPN provider like say Freedome , any sign of malice will cost them not only their VPN business but Fsecure's ability to provide infosec services. Same with ProtonVPN and ProtonMail, and unlike Microsoft the CEOs are much more likely to be held accountable since they reside in countries like Finland and Switzerland where privacy laws are very strict. Those countries may not like it if Microsoft did the same thing but they can't extradite Microsoft's CEO and even if they do the company is not incorporates in those countries. You want a VPN provider to be run by well known people that are not too powerful or too connected and reside in countries that will hold them accountable. Their main revenue stream needs to also depend on the reputation of the VPN service.
> Their main revenue stream needs to also depend on the reputation of the VPN service.
I disagree with your last statement completely. A company dependent on VPN revenue will be incentivized to do whatever they can to get and monetize VPN customers. A company that offers VPN services as a side operation that isn't financially key to their operations won't be incentivized to lie to gain users, cut costs to compete with other VPN operators, or use malware to monetize their user base.
Microsoft could not care less if you pay them a few dollars a month for a VPN. They're certainly not writing software to target people running VPNs on Azure and inject tracking and ads to make a minuscule profit. But - if news broke that they were abusing any Azure users - Microsoft would lose a significant amount of corporate and government business.
Can you name a single example of Microsoft exploiting anyone with malware? No, because the resulting reputational crisis would devastate their ability to sell their "cash cows".
Fsecure's infosec business is worth a minuscule fraction of Microsoft's businesses, and thus the potential losses from being exposed as a scam are much less.
In contrast, 57% of the top 150 free VPN apps on the Google Play Store contain code to get the user's last location, and a small number request permission to read SMS messages and take pictures https://www.bleepingcomputer.com/news/security/malware-user-...
Your comment on extradition isn't particularly relevant. Users abused by Microsoft could sue Microsoft in US court, and Microsoft would face significant legal and reputational penalties if they broke the law.
In contrast, while Finland and Switzerland do have strong privacy laws, that doesn't mean it's impossible for a "Finnish" or "Swiss" VPN provider to get away with violating user privacy. A criminal VPN provider could for example claim to operate in a country they didn't, or incorporate in a country while residing in a country less likely to prosecute them. Not saying I have evidence this happened, I am however saying that the fact that European countries in general care more about privacy doesn't make it impossible for a European company to get away with violating user privacy.
>For example with PIA, they are incorporated in the great surveillance kingdom of the UK, which is why I avoided them. They did not take the neccessary legal precautions and their freenode aquisition made little sense from a profit perspective which all in all suggests a grand scheme/vision not obvious to customers.
If the reason you are using a VPN is to avoid potentially untrustworthy middlemen, sure. But if you are after the privacy benefits of sharing an IP address with thousands, then a self hosted VPN won't help you.
Why not ? Unless your instance has a reservation of public IP you are sharing the outbound IP with thousands of other traffic. The actual problem with such setups and VPNs is the constant captcha because you are not using a residential IP range
Digital ocean would be $5 per month. I’m not sure what their logging/privacy policy though because I found their terms documents so broad and confusing
PIA is a trade name of London Trust Media, not a separate entity. The copyright on the bottom of PIA's homepage names LTM, and you can see the registration if you search for 20181014437 at https://www.sos.state.co.us/biz/BusinessEntityCriteriaExt.do
announces the proposed acquisition of LTMI Holdings
Freenode was bought under LTMH. Confusingly similar names, but different companies.
o Plus Ultra – a software that speeds up internet connections
o LibreBrowser – a completely private browser
o Private.sh – a private and encrypted search engine based on proprietary cryptography technology
And then includes a list of what else the acquisition actually includes. No freenode listed there.
Thanks for the reference! I found LTMI's registration in Delaware (file numbers 6362713 and 5806497; 4797091 looks unrelated). I see how this doc says Kape is acquiring LTM, but Freenode's announcement specifically says it's coming under PIA. Other things line up, like Christel being the Freenode admin and PIA Chief Communications Officer, even writing a blog post about this acquisition: https://www.privateinternetaccess.com/blog/2019/11/the-conti...
Besides this document's omission, what leads you to think Freenode is not part of PIA?
Edit: I'm not trying to make an ad hominem here, but I see in an earlier comment you describe yourself as the CEO of irc.com, which is also a PIA project (in some sense - again, I don't know the legal relationship or if there's a separate entity). So it sounds like you know what you're talking about, and I hope you can help find or make public some material support for the claim that Freenode is unaffected by this.
Indeed another comment further up cites his involvement before he'd admitted it. Everything about PIA is super shady. rasengan has always been a bit off, and some of his comments show glaring holes in his knowledge of his own field. ryanlol nailed him to the wall pretty handily a few days ago. It's almost like some comments are normal, some are like the PR guy grabbed the keyboard. All I know is I wont touch PIA or Nord anymore
This is the same PR blabbering that occurs with any acquisition. It means nothing just like any other. I’m cancelling and changing providers. Does anybody have recommendations?
I'll be going from ProtonVPN to Mullvad because Mullvad does not offer any deals (which, in a way, I like as besides it being honest for a low price it allows me to unsub for a month). ProtonVPN with Secure Core is just too expensive IMO but the primary reason is Mullvad offer WireGuard, and when I looked them up I saw no red flags whatsoever. You could argue "Sweden" but not all ProtonVPN employees are residing in Switzerland either, so they could be coerced.
Thankfully, I don't have to worry that much about it. My only concern is that they don't keep logs and that they're not automatically updating and loading my PC with malware.
Though, if PIA ever put malware in their installer it would be like hitting the self-destruct button.
Neither do I. I don't tunnel 0/0 through VPN; only some BitTorrent traffic. This is civil court work; not criminal court. That the NSA (and EU counterparts) can figure out what I use BitTorrent for, that I take for granted. They're [in this use-case] not my adversary.
The submitted title was "PIA bought by company known for distributing malware". We changed it to the article title in accordance with the site guidelines: https://news.ycombinator.com/newsguidelines.html, which ask "Please use the original title, unless it is misleading or linkbait; don't editorialize." One reason we have that rule is that we're not in any position to decide the truth or falsehood of contentious claims.
Not if it is an encrypted connection and you are using a third party client, no. PIA supports OpenVPN and IPsec (IKEv2, iirc), for which most operating systems already have r either native or popular trusted and secure clients for.
Sorry, I must be missing something obvious so please let me know, but VPNs are literally MITM: they terminate your encrypted connection with the client and stablish a new connection with the outside world from their end. So doesn't matter if the client is trusted, they can do whatever with the data before relaying it to the outside and before encrypting and sending back to the client.
> VPNs are literally MITM: they terminate your encrypted connection with the client and stablish a new connection with the outside world from their end
I think you misunderstand how VPNs work.
They tunnel, not terminate traffic. It is effectively a NAT service, with extra steps.
Take the scenario of a TLS connection to www.example.com:443 [1.2.3.4:443]
Connection A: Direct to the internet through my ISP.
I'll make an outbound connection to 1.2.3.4:443, and the IP that the remote sees will be the public IP that my ISP has assigned me. All traffic on that TLS connection is encrypted and my ISP can't view the content.
Connection B: Using a VPN Service
I'll make an outbound connection to 1.2.3.4:443, and the IP that the remote sees will be the public IP that my VPN Service has assigned me. All traffic on that TLS connection is encrypted and neither my ISP or the VPN provider can view the content.
In both scenarios, the TLS Connection is direct to 1.2.3.4:443, and my client will and should verify that the presented certificate is for cn=www.example.com (or a SAN with that cn), and signed by one of the Root CAs that my computer/software trusts.
They're recommended by PrivacyTools.io¹ You can read more about their methodology² and what's wrong with most other "VPN review" sites.³ They're also a top pick from wirecutter.⁴
I believe that the title should be changed because: "In late 2012 Sagi acquired the start-up company Crossrider for $US 37M." [1]
That alone tells you that Kape's (or rather, Crossrider's current owner) had nothing to do with their past actions, and could be therefore considered libel.
Moreover, post that someone linked with all the proof is pretty much a lot of FUD, and while I'm not happy with the sale, I fail to see any actual proof being brought up.
Whoa, whoa. You're the one misleading people here. Sagi (a person) purchased Crossrider outright for $37M then RENAMED Crossrider to Kape.
It's even more clear that the Crossrider "Adtech" (read Adware) was produced by the very same company Crossrider which is now called Kape. They are one in the same.
But the title of the thread insinuates that Kape is known for distributing malware, not the company it had acquired. I personally believe that there's a big difference between saying: "PIA bought by company that also acquired a company known for distributing malware" and straight out claiming that PIA's acquirer distributes or has distributed malware at some point in time.
What PIA is this about? Pakistan International Airlines? Who also own the Roosevelt Hotel in New York? Famous for the livery with the green tail marked PIA.
There's no reason for you personally to be the canary in the coal mine, just use someone else while you're waiting to see what happens.
I advocate somewhat strongly for paid 3rd-party VPNs, not because I think they're great, but because I think they are sometimes the least-bad option -- 3rd party VPNs address privacy problems that self-hosted VPNs can't, and unlike Tor, VPNs actually scale well for regular Internet browsing.
I do however fully acknowledge that shifting trust can be dangerous, so I recommend people be willing to quickly jump ship between VPNs, and possibly use different VPNs for different services. You should be a little nervous around your VPN provider, and you should hold them to really high standards.
In PIA's case, I notice looking at their pricing page that they offer 1-2 year plans in addition to monthly plans. Not everyone has the money to ignore deals, but if you do have the money, paying an extra $35-40 a year so just so you can easily switch VPNs on a whim is probably worth it. In general, for services that can pivot in quality quickly (like a VPN) it is usually worth paying monthly rather than yearly (again, assuming you have the extra money to do so).