Leave Surveillance Behind - Forever
no compromise vpn
1 note
Posted 16, April, 2013

New Tos

It is with a mix of pride and humility that I am announcing the implementation of Cryptocloud’s new Terms of Service. These “ToS” - combined with our longstanding Privacy Policy - form the framework of our formal relationship with our customers. And I’m proud of both documents: they are a good reflection of who we are, what we stand for, and our dedication to no-compromise privacy service.

So that is what I’m proud of. What about the humility?

Well it’s always good to be humble, but there’s more to it to that. I’m going to level with you and just tell it like it is. Cryptocloud has been in the VPN business since 2007, and I’ve been with the company every step of the way - so I can talk about the entire history of our company firsthand. When we started in 2007, there was no “VPN industry.” There was one other company of note - Relakks - and they were merely selling PPTP-based VPN service (amazingly, they still are). With my co-founder, we did some heavy research and right away saw that PPTP was close to useless in terms of real security. So we decided to build our VPN business on OpenVPN - nobody had done that when we decided to do it, and everyone said we were nuts.

Maybe we were, but we pioneered an entirely new way of protecting our customers. Instead of just using the easiest tech pieces to do the job, we set out to use only the best tools in terms of real customer security - and whatever it took to make those tools work, that was our job, what our customers pay us to do, basically. Producing our first OpenVPN-based client wasn’t easy and we burned through plenty of midnight oil to get it done and make it reliable and easy to use.

Back then, there weren’t off the shelf “graphical” OpenVPN clients that normal people like me could actually use, not like today - you had Yonan’s codebase (which was solid then, and is solid now)… and the rest was up to you. It was a wild time, and we broke new ground every day with our approach to VPN service.

So when we got around to building our first website to market the service, we were in a headspace to bring the same attitude to everythingabout our business - not just our choice of world-class technology. We got to writing the HTML for our first Terms of Service page (it’s probably still lurking out there in the Wayback Machine archives, if anyone cares to dig it up that’d be cool - we were known as ‘goldens.com’ back then) and the lawyers told us to stick in pages and pages of legalese and other crap. Standard practice, they said - everyone does it.

To hell with that;

We told them, with due respect, to take their legalese and use it for wiping. Instead, our little team of hardcore privacy zealots did something that “everyone” said you couldn’t do: we wrote our Terms of Service as if they actually mattered - like they were what defined our responsibilities to our customers, and that we were signing them in blood. We stripped out all the garbage, and squeezed them down to the core elements. And we wrote them in English - not lawyerspeak. We argued about them, we edited them, and then we published them.

Nobody had done anything like that. But we were helping to invent a new “industry” so why not? There were no rules, so we made new rules. Our rule was “customer privacy comes first” and our second rule was “we’ll take a bullet to protect our customers” - if they watch our back not doing the (very few) things we said weren’t ok in our ToS (our stance against underage content was hugely controversial at the time, and we had some good debates with the privacy community about our unambiguous, honest, direct approach to the issue), then we’d watch their back like nobody’s business. And if the shit really hit the fan, we’d shut the company down before we’d become snitchware and turn on our customers.

That was more than five years ago. We took some flak for doing what everyone said “you could’t do.” The other big thing we did was announce a “no logging” policy, from Day One. They said that was impossible, too - and look how things have turned out. Anyway, it was pretty clear that we COULD use whatever ToS we wanted to - who was going to stop us? 

But in the last couple of years, our ToS kind of bloated out. An edit here, a little bit of language that the lawyers said really had to be added there. Each step made sense, one at a time. But… the whole thing was a mistake. We let our ToS drift off into something that didn’t really reflect who we are as a company, and as a team.

We were fighting battles on many fronts - some you probably know about, a few nobody outside the company understands (yet). And we took our eye off the ball with our ToS. The version that eventually came out of that wasn’t terrible - but it wasn’t great, either. It’s not something we’re proud of.

That is the humility. 

We screwed up, and we drifted from our principles and from our roots as a groundbreaking industry leader. True enough that those ToS never actually resulted in us doing wrong by any customers - they were “just” words on a page, and didn’t change how we do business in real life. But they were still wrong, and we were wrong to let them get established in our company. 

Recently one of our forum admins called out another VPN company for some ugly ToS terms - and everyone assumed that the company, and me, were secretly pulling his strings. Hah. Right. Point in fact: when he went public with that critique - which has yet to be answered by Torguard in any public way, I might add (forum trolling and comment spambots don’t count lol) - I went back to make sure our own ToS were up to snuff and… holy shit. So it’s pretty clear that my friend PJ did what he so often does - took a stand, went public, and didn’t ask advice or approval from anyone first. Yep, that’s him.

Once that happened, I saw right away that our ToS were not going to cut it. Our team got together for some pretty heated meetings, and we hashed through a re-write. Really more of a return to what our ToS always were: reflecting our company, our values, and our “no compromise” stand for customer privacy. They’re a little different from the ones we had back in 2007, since we’ve learned since then and the world also has evolved. But the spirit is there, and they are honest. They say what we want to say, in words that mean something. We stand behind them.

That’s my challenge to other leaders in the VPN industry. Nowadays there are hundreds or maybe thousands of “VPN companies” out there. Most of them are just a kid in his bedroom, leasing a cheap server someplace with PPTP on it and convincing VPN review sites to pimp him out. Other companies are pure hype, making crazy promises with no substance to back them up. But mixed in with that slurry of mediocrity and half-truths, there’s some other VPN companies that are leaders: they take it seriously, they want to do right, and they don’t shy away from making hard decisions when it comes to real customer protection.

How about it? To the other leaders in the industry, what are your Terms of Service? Are you proud of them, or is it humbling to actually read through them? If humility is order, maybe follow my example and eat some Humble Pie. It’s not very tasty, but it has to be done and better to do it now than try to hide it for later when it gets moldy and nasty. If you don’t like your ToS, fix them! Go public, like I did here, and talk about what happened - and what you’re doing different now. That’s how we all improve, and it’s the key to leadership - real leadership, not fakery. Be a leader - the buck stops somewhere, does it stop with you? 

Because you know what? People are starting to notice those rotten ToS. It’s not a dirty little secret any more. I can’t protect you from that visibility - nobody can, except you if you get out in front and do the right thing.

Cryptocloud pioneered no-bullshit Terms of Service in the VPN industry. Then we drifted away from that, but now we’ve fixed it. We’re back to our roots. I apologize to the community that we took our eye off the ball like that. We can do better, and we must do better. There’s no excuses offered - we screwed up. Now we fix it, we learn from it, and we improve each and every day. That’s how our company started back in 2007, when we took the path of doing it the RIGHT way instead of the easy way.

And that’s the path we are on today, and always.

Who else will stand tall and show true leadership? 

Stay frosty…

~ thesaint707

4 notes
Posted 23, March, 2013

Jurisdictional Jiggery

For as long as there's been a consumer VPN industry - since 2006, basically
- VPN companies have jostled for who can claim to have the coolest jurisdiction. 
The first example was Relakks setting up in Sweden, and citing the good laws 
there as a reason to use them (which is ironic, since those laws have gone bad in
the meantime but several VPN companies still tout Sweden as "all that" for privacy.
.. really?). Since then, it's become the wild west out there: quite a few VPN 
companies have basically nothing going for them except a claim they are in 
some "safe" jurisdiction. Just look for the ones that have the name of a country as
part of their brand name... they're not hard to find.


In the early days, having a good choice of where to be "based" was pretty
groundbreaking. We set up shop with our machines in Holland in 2007,
and that put us in good stead when it came to protecting customers in more 
repressive countries (which means anything from Saudi Arabia to the USA, 
basically) - that was revolutionary at the time. The early hordes of me-too copycats
to the new VPN business, in those days, were often just renting cheap servers in the
USA and calling themselves "privacy companies." Pretty laughable, in terms of privacy
 - those folks rolled in a hot minute the first time some dork with a badge showed up at
 their parent's front door and asked them to turn over records. Look up Hide My Ass and
vtunnel.com for examples. Pathetic and not what a privacy company should stand for.

Since then, it became a free for all: there were VPN companies claiming to be 
"based" in just about every country on the planet. And that's when the bullshit 
started. Because there's two things going on here, actually (as real pros understood
all along). There's the jurisdiction where your company is incorporated - which can basically
be anywhere in the world - and there's the physical location of your stuff and
people. What happened is that me-too folks started launching VPN companies 
claiming to be "based in" some exotic locale... except the only thing based there 
was their mail-order company paperwork. Not any servers, and not any employees 
- they usually just leased cheap VPS capacity in, you guessed it, the USA (the USA 
has super-cheap hosting/colo prices, which is why so many low priced VPN companies
end up getting all their servers there). The jurisdiction of their company (or what they 
claimed it was - nobody checked company paperwork then, and nobody does now)
didn't make the slightest difference if the cops came calling -what mattered was who
lived where, and whether the servers were easy to grab. This happened because some
of those folks didn't know how to run real full disk encryption on their servers so if they
got raided, they were open sesame. Don't get me started on any company that is an ISP
as well, they are regulated worldwide and their VPN will always be secondary in revenue.

Since then, there's been so much bullshit thrown into the jurisdiction thing that I
will dub it "jurisdiction jiggery." Every newly-birthed copycat VPN company has more
outlandish claims about their jurisdiction... and unfortunately lots of customers take
it all at face value. They're based in Switzerland? Wow, they must be super safe!!!
Well, yeah, but if their servers are in Chicago and their two employees share a cheap
apartment in Miami that doesn't do much to keep things safe. In the meantime, no
body really talks about where the employees live or where the servers are based (the 
real servers, command and control, not just disposable exit nodes). It's all jiggery i.e.
smoke and mirrors.

Happily things have changed alot since 2006, in terms of the politics and visibility
of VPN companies. Back then, there wasn't any "VPN industry" - just a few innovative
companies like Cryptocloud, setting the ground rules as we went. Now, it's an industry
- and law enforcement has it in its sights. Things are way different.

I am posting this article to try and put a little bit of honesty back into the jurisdiction
hype. Here's the deal: where you incorporate your company doesn't make any 
difference to how safe your customers are going to be, in real life it just doesn't. 
Pick a cool tax haven for other reasons, but don't pretend it means that Vanuatu's 
laws magically apply to your company - with its servers in Chicago, or Toronto, 
or Stockholm. They don't. That's a charade.

Where your servers are at shouldn't matter - since you're running real disk encryption
on ALL your machines, always. But for newbies who can't run servers properly (or who
just run cheap VPS "servers" instead of dedicated hardware... a terrible idea on many
levels), then yeah if your VPS is on a machine in Dallas or Kyiv (ya they go there too)
then the FBI is just going to show up at the colo facility and demand access to it 
from the friendly hosting company employees there - they won't even bother calling
you in your "secure" safe haven, wherever that is. And your customers are out of
luck, exposed to the powers that be. That's what happens when amateurs play at VPN
service.


If you are smart enough to run FDE on your machines, then the hired guns of the
state (whatever state decides to go after your customers, which usually means the
USA, honestly) will go for the next weak spot: the people. That's right, they just 
show up with guns and threaten to make bad things happen. Often they do make
bad things happen: put people in jail (even if it's only temporary), break stuff,
seize computers... all the usual thuggery. Don't be naive to think that doesn't stop
magically at international borders - anyone who thinks it does is living in
fantasyland. Kim Dotcom got pinched in New Zealand, at the beck and call of the
FBI. Since they can jam him up - with all the tens of millions of dollars for lawyers
and security - the some youngster playing at being a VPN mogul sitting in a nice,
friendly European country is only a plane flight away from FBI custody, they do
have agents overseas too. 


The real question is this: if goons with guns and badges show up at the homes of
the executives or sysadmins of a VPN company, what will they do? Will they wet 
their pants and hand the keys to whoever looks most cop-like of the bunch? Will
they last for a day in a jail cell before breaking down and begging for mercy? Or,
will they tell the goons to go bugger off, clam up, lawyer up and - if needed - 
scupper servers and network components to make sure nobody gets access to 
them that shouldn't? If you've never had a gun pointed at you, it can be scary 
the first time and with a LEO caressing the trigger, it gets serious. The true pros
can handle this shit - they've seen it before, and know how to stay tight. That's
who you want to trust with your business PERIOD.


Don't fall for the hype. Use your good judgment, common sense, read their Terms
of Service and Privacy Policy if they can shut you off for anything more than 
non-payment then you truly aren't a needle in a haystack. There's no magical
protection because someone is in their super secret hideout or whatever - lol.
This isn't the  movies, dude. This is real life - and in real life, it's who you are
rather than where your company sits that ends up mattering when the things 
go haywire. Take it from someone who knows, firsthand. Don't fall for 
jurisdictional jiggery. Demand more than smoke and mirrors. And remember
that a mail-order company from an alluring tropical island tax haven doesn't
mean your packets are going to stay secure - that's just a bait and switch. 


Cheers and Stay Frosty!





1 note
Posted 30, August, 2012

ATT’s latest scam

Truth Without Consequences
 
By now, most everyone has heard of ATT’s latest flagrant violation of net neutrality provisions. This time, they’ve been caught red-handed blocking certain iPhone apps (FaceTime, specifically) so they can force their “customers” (more like captured pawns) to hand over more money for stuff they don’t actually need. It’s not like this is the first time ATT has been caught doing this crap, and it’s not like ATT is unique - or even particularly bad - when it comes to these violations. They happen all the time. Some are caught, and publicly disclosed. Some haven’t (yet) been noticed and publicized.
 
At this point, all the usual rhetoric about how bad this kind of thing is has been trotted out into the public square. All the usual pressure groups are belly-aching about how it’s just not right what is being done, about how customers are being illegally squeezed for extra profits so that politically-connected oligopolies can spin yet more money for themselves. Everyone’s pointing out how such things totally go against the fundamental structure and culture of the Internet - the world’s great Commons. Nobody wants to see that Commons subject to the requisite tragedy… but that’s exactly what’s taking place. And so the protests and complaints and teeth-gnashing continue apace. Everyone says it’s wrong and bad and it has to stop. Now.

And you know what? They’re all 100%, absolutely right. But…
 
 
There’s a funny thing about repeat violators of laws and injunctions and rules and standards and that sort of thing. Once a given person - or as is much more relevant in these sorts of situations, for-profit corporation - does something once and gets caught, it waits to see what’s going to happen next. Does the world come down on its shoulders? Does it get fined bazillions of dollars? Does it - heaven forbid - see its corporate charter revoked and find itself “executed” as a corporate “person?” If it does, then damn it’s sure going to think twice about breaking that rule again in the future… assuming it still exists in the future, that is.
 
Contrariwise, if there’s absolutely no consequences for breaking the rule - apart from making extra profits, of course - then it’s no surprise that the rule will be broken again. And again. And again. Like the rat pressing the level to make the cocaine hit come, for-profit megacorporations will break ANY rule - and do it repeatedly - if the consequences are lower than the extra profits they earn. This should be pretty damned obvious to anyone watching; it’s not like anything mysterious is going on. Hell, if you’re told not to pick up a $100 bill sitting on the sidewalk but you know - absolutely know - that there’s nothing bad that will happen if you do… will you pick it up? Yeah, you will - and why not? All benefit, no costs. An easy decision.
 
That’s what is going on with ATT and the other mega-oligarchs who are “caught” violating net neutrality over and over and over. Sure, they are caught - “caught,” really - but do they care? No, they don’t. They go through the motions of acting like they’re upset about being “caught,” and maybe they make noises about not doing it again (or maybe not). But, if there’s no consequences, do they care? No. Pick up that $100 bill - and if you are “caught” just act like you’re sorry… and pick up the next one you see.
 
Without consequences, rules become “rules” - and “rules” are mere background noise to global corporate powers like ATT. If you or I break the rules, we face serious consequences: fines, lawsuits, arrest, maybe even prison. If ATT breaks the rules, its lobbyists just act sorry and it all blows over in a few weeks. Can you spell “all the justice you can afford?” ATT can afford a hell of a lot of “justice” - more than you or I or any individual Internet participant. More than any of their customers, that’s for sure.
 
So it’s time to stop crying and moaning about how ATT (or whomever) got caught breaking the rules, and about how we need more rules to protect us from these goons. We don’t need more rules - we need CONSEQUENCES for the rules already out there! A rule without a consequence is a running joke, no more and no less. But let’s put it this way: if the price of ATT being busted for violating net neutrality was, oh, a cool billion dollars stripped out of their bank accounts (just like real criminal defendants in the USA see money stripped from their bank accounts) they’d sure as hell think twice about doing it again. More rules? Nope - more consequences.
 
So if you think your outrage about this latest outrage is making one bit of difference with ATT, think again. What they’ve learned (again) is simple: break the rules, don’t pay a real price. With lessons like that, none of us can really be surprised when ATT (or some other vampire-squid corporation out there) gets “caught” breaking “rules” again. And again. We’re not even talking about slaps on the wrist here: we’re taking about virtual slaps on nonexistent wrists. That’s just pathetic.
 
Put in place consequences for net neutrality violators, and net neutrality violations will vanish like fog on a sunny day. Keep putting more rules in place without consequences, and you’re just playing a fool’s game. Or, I should say, WE are just playing a fool’s game - because we all pay the price for the way these repeat corporate offenders act.
As an aside I am not paid by them and I am LOCKED into a contract.

1 note
Posted 7, August, 2012

We are back!

Apologies for openvpn being down our intention was to do the upgrades at the end of August but part of the team adjusted their holidays due to a wedding so we pushed it up and expedited. One of the good things about getting a good look under the hood is that one can see an even more expanded picture and we did! We have some cool treats in store for you our valued customers and I cannot wait to announce them! We are still tweaking some things like pptp and the buy page but upgrades are afoot!

Cheers!

1 note
Posted 4, August, 2012

Upgrade in Progress 04-08-2012

Dear CryptoCloud users,

We will be upgrading our systems for the next day and the website and openvpn system will be down. You may still use pptp while this is taking place. We apologize for this but the enhancements to performance and security will be worth it. Please follow twitter, our forum or blog for more details!

If you have any questions or inquiries, please contact us at support@cryptocloud.com.

We thank you for your patience.

Kind regards,

CryptoCloud Team