Interview with VPN


Interview with VPN

1) Does CryptoStorm VPN keep any logs, IP Addresses, Timestamps, Bandwidth caps, Traffic or other data?


And, unlike 95% of “VPN companies” answering that question nowadays, we actually know how to do so. It’s not trivial. If there were external, professional audits of these Johnny-come-lately “no logging” me-too companies out there, they’d all fail. I know, because I was part of the team that wrote Cryptocloud’s “no logging” policy back in 2008. Everyone told us we were crazy, or “breaking the law.” And we learned the hard way that not logging takes work – all these systems sort of assume logging as a default.

Nowadays, most people running “VPN companies” can barely get their iPhone to give them directions to the spa – let alone administer a server properly. How many of them are running default OpenVPN (or PPTP, ffs) configurations, out of the box? Apache installs? OS kernel setups? How many know how to silence logging, across machines and OS environments and architectures and applications frameworks? Not many.

However, it’s easy to claim “no logging” in marketing rants and nobody ever asks whether they can back that up with facts. Because they can’t.

Put another way: any “VPN company” that uses the freeRADIUS plug-in for session authentication is logging. By definition. It’s not like this is a debatable point. And if there’s a “VPN company” who is NOT using RADIUS at this point, they’re outliers (not counting us – we dumped RADIUS in 2011). RADIUS exists to log.

2) What type of Encryption do you use?

Quoting from our client-side config:

auth SHA512
# data channel HMAC generation

cipher AES-256-CBC
# data channel stream cipher methodology

replay-window 128 30
# settings which determine when to throw out UDP datagrams that are out of order, either temporally or via sequence number

# implements PFS via TLS 1.2, natively, thru ephemeral Diffie-Hellman key creation

Corresponding entries server-side, of course. Along with the mandatory…

Yeah, and RSA 2048 for the routine asymmetric stuff – which is mostly deprecated in our PFS model, but still does carry the load of auth’ing server-side creds against passive MiTM. But… anyone who is assuming that RSA cipher suite – irrespective of keylength (and of course most folks generating RSA keys aren’t grabbing sufficient entropy to do so effectively in the first place) – provides any sort of data-channel armouring is sadly confused. It just does cert-cert validation, which… yeah. There’s much more I can say on that, but not yet. To say that “most ‘VPN companies’ are operating on a spectacularly broken PKI/CA/asymmetric cert foundation” is to seriously understand how bad things are out there. But that’s for a future disclosure; for now, suffice to say that most of the RSA part of our cipher methodology is, formally, vestigial. Indeed, we call our client-side certs by that very name in our production setup… just to make it crystal clear to anyone studying our model.

Expecting OpenVPN as an appland protocol to provide PFS on top of a non-PFS’d control channel (SSL/TLS) is just… well, it’s a form of irony, right? We joke that it’s like promising to safely secure a cardboard box within itself. Good luck with that :-)

# exit on TLS negotiation failure

…without that, the ease with which rollback attacks – to SSL 1.0 (!!!) – can be deployed is, simply put, point-and-click.

3) Where are your servers located and what jurisdiction do you operate under?

We currently run physical machines in Quebec and Iceland, with exit nodes coming online in the UK, Switzerland, Ukraine, Panama, US, and Czech Republic shortly.

pia red

We run only dedicated machines, from the metal. Anyone running a “VPN service” via leased VPS “servers” is either engaging in a form of dark satire, is incompetent, is a fraud… or some weird combination of all three. Which means about 90% of “VPN services.”

Our financial footprint exists largely on First Nations sovereign territory bounded by the Canadian province of Quebec – although not subject to its legal dictates per Supreme Court of Canada rulings consistent across many decades. However since we operate via the access token model, we have no direct financial interactions with our network members whatsoever.

Our corporate governance infrastructure is… decentralised. Again based largely on First Nations physical terrain, with operational shards deployed as the dictates of jurisdictional arbitrage best suggest.

4) How do you generally handle requests from law enforcement and copyright agencies?

Hahahaha. Ahem. Hopefully, our record speaks for itself.

5) Do you have access to all your servers, and does the datacenter you use log?

Physical access? Physical access to machines does not increase (nor decrease) operational security.

All datacentres log some degree of traffic parameters for their own network management purposes. This is an assumption of the operational landscape – the threat model – in which all providers of secure networking resources must surely understand at this point, right? After the Summer of Tor Takedowns, the idea that colos will resort to armed resistance to LEO is, obviously, silly. Plaintext traffic leaving exit nodes is assumed monitored. That is as true for a network-stack-layer (OSI 3/4) secure provider as it is for Tor living in appland.

The challenge of deploying reliably secure network transit service in an extremely hostile physical connectivity landscape is nontrivial. Tools exist to do so competently, albeit none are perfect. Any project team unaware of those fundamental realities is definitionally unqualified to take money from customers for provision thereof.

Sadly, that includes just about every “VPN service” in the market today.

6) Does your service support bittorrent?

Yes, of course. We are – as any encrypted packet routing service cannot honestly justify being otherwise – protocol neutral. Indeed we are port neutral, protocol neutral, and application neutral. We transit packets, period. How these “VPN companies” that claim they don’t log can then turn around and admit they’re shaping traffic – we used to call it ‘Sandvining’ – is beyond me. It’s like claiming to be standing in a downpour, and yet stay bone-dry.


0) Please tell us, what is your role (in the VPN company, where do you stand, owner, marketer, advertiser etc)?

Me, personally? I’m a member of the tech team. I’ve been involved in cryptostorm (previously known as Cryptocloud) for many years. A chunk of public relations duties sits on my shoulders, because the rest of the team is better at keeping busy with other work & thus it ends up in my lap :-)

We have no “marketing team” and never did. Always been something we plan to do, but the time goes into tech work and customer support – and we just never seem to find people who are able to do real marketing work without – let me be blunt – resorting to bullshit, hyperbole, and smarmy nonsense. Since that’s not who we are, the match isn’t good and we end up going on for years and years with zero marketing.

Oh well. Our excellence in service delivery, our leading role in innovations, and our “no bullshit” honesty have always resulted in customers bringing their custom our way.

Thank you very much for taking the time to answer these. Also, nice looking service. I really like your token auth method.

pia red

Thanks for your kind words. Token-based auth has been a goal of our team since late 2008. It took us a little while to work out how to do it right… but five years later, we’ve got it.

As we did in 2008, this fall we sat down to build the secure network service that we ourselves wish existed so we could use it for our own communications. Since nobody provides it yet, we make it from scratch. Now, it exists. This is good.


~ pj

Check out VPN

About Author

Brandon Stosh is the founder and CEO of Stosh is a cyber security researcher and professional consultant who strives to provide reliable news on cyber-security based topics.


    • Wasn’t cryptocloud by the guy who got busted with over 300 pounds of coke ( no not pepsi ) in his car and got only 3 years jail time then joined hushmail as soon as he got out and ….

    • We’ve actually done quite a bit of research into that Torrenfreak article, and nowhere in the underlying documents can we find reference to privacy services of any kind. Likewise, Dr. Geist makes no such reference – that comes only when Torrentfreak “summarises” the state of affairs. It’s possible they have documents nobody else has seen, but if that’s the case we’d hope they’d share their sources for independent review.

      Harper is, of course, no fan of civil liberties and these efforts to compel ISP-level logging are nothing to cheer. However, scare-mongering isn’t helpful; it distracts from the underlying issues.

      As our architecture has no customer database, no customer records, and no central infrastructure, it’s not really accurate to say we’re “based” out of anywhere. Some of our administrative processes are handled geographically within the borders of Canada… but subject to First Nations legal framework, not the Crown. Which is somewhat of an important distinction, although given that our footprint geographically in Canada is no more central than in several other distributed jurisdictions, it’s largely irrelevant in practical terms.

      The best way to protect against jurisdictional rot is to avoid an absolute commitment to any one jurisdiction. That’s our approach.

  1. Actually, we heard there’s this guy who got busted hijacking a rocket ship to the moon but then he got out and he went to the NSA and built a supercomputer from legos and then he went to work for Facebook… lol.

    We appreciate creative trolling as much as anyone else… but creative is the operative word. Boring trolls are boring. Sorry, you’re no Weev :-P

Leave A Reply

Send this to friend