Interview with CryptoStorm.is VPN
1) Does CryptoStorm VPN keep any logs, IP Addresses, Timestamps, Bandwidth caps, Traffic or other data?
And, unlike 95% of “VPN companies” answering that question nowadays, we actually know how to do so. It’s not trivial. If there were external, professional audits of these Johnny-come-lately “no logging” me-too companies out there, they’d all fail. I know, because I was part of the team that wrote Cryptocloud’s “no logging” policy back in 2008. Everyone told us we were crazy, or “breaking the law.” And we learned the hard way that not logging takes work – all these systems sort of assume logging as a default.
Nowadays, most people running “VPN companies” can barely get their iPhone to give them directions to the spa – let alone administer a server properly. How many of them are running default OpenVPN (or PPTP, ffs) configurations, out of the box? Apache installs? OS kernel setups? How many know how to silence logging, across machines and OS environments and architectures and applications frameworks? Not many.
However, it’s easy to claim “no logging” in marketing rants and nobody ever asks whether they can back that up with facts. Because they can’t.
Put another way: any “VPN company” that uses the freeRADIUS plug-in for session authentication is logging. By definition. It’s not like this is a debatable point. And if there’s a “VPN company” who is NOT using RADIUS at this point, they’re outliers (not counting us – we dumped RADIUS in 2011). RADIUS exists to log.
2) What type of Encryption do you use?
Quoting from our client-side config:
# data channel HMAC generation
# data channel stream cipher methodology
replay-window 128 30
# settings which determine when to throw out UDP datagrams that are out of order, either temporally or via sequence number
# implements PFS via TLS 1.2, natively, thru ephemeral Diffie-Hellman key creation
Corresponding entries server-side, of course. Along with the mandatory…
Yeah, and RSA 2048 for the routine asymmetric stuff – which is mostly deprecated in our PFS model, but still does carry the load of auth’ing server-side creds against passive MiTM. But… anyone who is assuming that RSA cipher suite – irrespective of keylength (and of course most folks generating RSA keys aren’t grabbing sufficient entropy to do so effectively in the first place) – provides any sort of data-channel armouring is sadly confused. It just does cert-cert validation, which… yeah. There’s much more I can say on that, but not yet. To say that “most ‘VPN companies’ are operating on a spectacularly broken PKI/CA/asymmetric cert foundation” is to seriously understand how bad things are out there. But that’s for a future disclosure; for now, suffice to say that most of the RSA part of our cipher methodology is, formally, vestigial. Indeed, we call our client-side certs by that very name in our production setup… just to make it crystal clear to anyone studying our model.
Expecting OpenVPN as an appland protocol to provide PFS on top of a non-PFS’d control channel (SSL/TLS) is just… well, it’s a form of irony, right? We joke that it’s like promising to safely secure a cardboard box within itself. Good luck with that :-)
# exit on TLS negotiation failure
…without that, the ease with which rollback attacks – to SSL 1.0 (!!!) – can be deployed is, simply put, point-and-click.
3) Where are your servers located and what jurisdiction do you operate under?
We currently run physical machines in Quebec and Iceland, with exit nodes coming online in the UK, Switzerland, Ukraine, Panama, US, and Czech Republic shortly.
We run only dedicated machines, from the metal. Anyone running a “VPN service” via leased VPS “servers” is either engaging in a form of dark satire, is incompetent, is a fraud… or some weird combination of all three. Which means about 90% of “VPN services.”
Our financial footprint exists largely on First Nations sovereign territory bounded by the Canadian province of Quebec – although not subject to its legal dictates per Supreme Court of Canada rulings consistent across many decades. However since we operate via the access token model, we have no direct financial interactions with our network members whatsoever.
Our corporate governance infrastructure is… decentralised. Again based largely on First Nations physical terrain, with operational shards deployed as the dictates of jurisdictional arbitrage best suggest.
4) How do you generally handle requests from law enforcement and copyright agencies?
Hahahaha. Ahem. Hopefully, our record speaks for itself.
5) Do you have access to all your servers, and does the datacenter you use log?
Physical access? Physical access to machines does not increase (nor decrease) operational security.
All datacentres log some degree of traffic parameters for their own network management purposes. This is an assumption of the operational landscape – the threat model – in which all providers of secure networking resources must surely understand at this point, right? After the Summer of Tor Takedowns, the idea that colos will resort to armed resistance to LEO is, obviously, silly. Plaintext traffic leaving exit nodes is assumed monitored. That is as true for a network-stack-layer (OSI 3/4) secure provider as it is for Tor living in appland.
The challenge of deploying reliably secure network transit service in an extremely hostile physical connectivity landscape is nontrivial. Tools exist to do so competently, albeit none are perfect. Any project team unaware of those fundamental realities is definitionally unqualified to take money from customers for provision thereof.
Sadly, that includes just about every “VPN service” in the market today.
6) Does your service support bittorrent?
Yes, of course. We are – as any encrypted packet routing service cannot honestly justify being otherwise – protocol neutral. Indeed we are port neutral, protocol neutral, and application neutral. We transit packets, period. How these “VPN companies” that claim they don’t log can then turn around and admit they’re shaping traffic – we used to call it ‘Sandvining’ – is beyond me. It’s like claiming to be standing in a downpour, and yet stay bone-dry.
0) Please tell us, what is your role (in the VPN company, where do you stand, owner, marketer, advertiser etc)?
Me, personally? I’m a member of the tech team. I’ve been involved in cryptostorm (previously known as Cryptocloud) for many years. A chunk of public relations duties sits on my shoulders, because the rest of the team is better at keeping busy with other work & thus it ends up in my lap :-)
We have no “marketing team” and never did. Always been something we plan to do, but the time goes into tech work and customer support – and we just never seem to find people who are able to do real marketing work without – let me be blunt – resorting to bullshit, hyperbole, and smarmy nonsense. Since that’s not who we are, the match isn’t good and we end up going on for years and years with zero marketing.
Oh well. Our excellence in service delivery, our leading role in innovations, and our “no bullshit” honesty have always resulted in customers bringing their custom our way.
Thank you very much for taking the time to answer these. Also, nice looking service. I really like your token auth method.
Thanks for your kind words. Token-based auth has been a goal of our team since late 2008. It took us a little while to work out how to do it right… but five years later, we’ve got it.
As we did in 2008, this fall we sat down to build the secure network service that we ourselves wish existed so we could use it for our own communications. Since nobody provides it yet, we make it from scratch. Now, it exists. This is good.