"Kape Technologies was originally found under the name of Crossrider in 2011 developing advertising apps until they changed their name in 2018.
However, their software was treated as malware by companies such as Malwarebytes and Symantec begging one to ask, how can such a company despite rebranding itself change the shoddy culture that it had?
But the connections don’t end there. The very first CEO of Crossrider, Koby Menachemi, happened to be once a part of Unit 8200 which is an Israeli Intelligence Unit in their military and has also been dubbed as “Israel’s NSA.” Teddy Sagi, one of the company’s investors was mentioned in the Panama Papers which were leaked in 2016."
I don't think tagging people as ex 8200 is very helpful. Israel has mandatory military service and at this point if you have aptitude or are in a high school computer club in Tel Aviv or a few other places, you probably end up in 8200 for your service. For that matter, half the people who say there were in 8200 were either 1) listening to telephone calls 2) relegated to writing memos about the data people did hack and get. Of course, there are things one could have done that would raise serious questions. See, e.g., the issues raised for the people we know who worked on DualEC_DRBG.
On the other hand, there are other sketchy things about express VPN.
FWIW, I once worked at NSA, and likely care more about privacy than anyone you know. These places employ 10s of thousands of people, and the people that come out are as varied as the industry at large.
Indeed, and if you've ever used a machine in China with that crap installed you know how well that went.
Speaking of China, it has always been strange how well ExpressVPN worked there even during high pressure moments where all other vpn operators bit the dust, with some already wondering a few years ago if there wasn't something more shady going on. Eventually I ended up using some self managed shadowsocks servers and it's been a while, so no idea what the current state of affairs is, but I'm even less convinced to use them now.
I interviewed with ExpressVPN (NetworkGuard) not too long ago. While the founders are American and they're incorporated in the Virgin Islands, their actual base of operations is Hong Kong and they have no intention of moving out despite the recent upheaval there. So either they have serious guanxi, which seems improbable for pasty white dudes (sorry, but in China race matters), or they're very naive.
As of 18 months ago to my knowledge most expats still used name brand ExpressVPN, Astrill, etc. while techie types used stuff like v2ray+shadowsocks or shadowsocks alone. Shadowsocks is really underrated, once you’ve found your location, plugins and obfuscation “stack” that just work on the gfw it’s also super handy in other countries that have lighter and less sophisticated censorship.
I've never been to China, but I'm curious - is it possible to connect to EC2 instances in us/eu? Anything stopping an SSH tunnel or wireguard to such a machine?
But if you need security, roll your own VPN. You can set up a Digital Ocean droplet as one. It's a pain, but you only need to do it once.
I'm not sure there's much of a persuasive reason to use any of these big providers. That's why they always fall back on claims of security – unsophisticated users always fall for it.
How so? All you see is that a random DO droplet is pinging your service. You'd need a legal request to get any further info about the droplet. And in that situation, it's equivalent to any other VPN service that will comply with legal requests.
He is talking about government level threats, DO provides no benefit.
I'll add that rolling your own means you're the only one exiting that IP address, so if your threat model involves websites profiling you and/or alternative accounts that won't help.
Where did someone mention government level threats?
If the threat model is a government, Tor is the only safe solution, and only after extensive training and safeguards. Using anything else is actually-crazy.
This is precisely the point that the threat model bares its fangs. You can ignore it, but you should be aware that you're putting all your faith in that service.
A hypothetical Good VPN doesn't exist in China, for example, because they're legally not allowed to do what you suggest. Many of us don't live in China, but some do. Even outside of China, is it really true that a VPN service will simply give LEO the finger when they ask "Who was downloading child porn off your servers?" I'm skeptical they can.
That's the thing though, not all legal requests get the same weight or priority. I wouldn't trust a VPN to not roll over for your example cp case, but I think a middle finger equivalent isn't unreasonable for the less severe and more common case of receiving a complaint that the IP was observed as part of a swarm seeding copyrighted material. For lesser things, where does DO sit on the spectrum of will rat you out (which ISPs do), and likely won't rat you out (basically any paid VPN because their reputation depends on not doing so)?
If you are outside the US this is sufficient protection for many people. For example even close US allies (eg five eyes) have to go through the US court system to get this warrant, and that is a slow, annoying process when you aren't based in the US.
It raises the level of friction to meaning it will only happen for somewhat major investigations. If you are a major drug dealer, then yes, they'll do it. If they catch you with some small amount of some drug, then it's unlikely they'll chase it.
> How can such a company despite rebranding itself change the shoddy culture that it had
This is the nature of VPN companies. You must do your research. Sadly most consumers don't do their research and blindly trust that the VPN provider has their best interests at heart.
Should that mean we trust a provider that has zero scandalous pasts? Hardly. Treat every VPN provider as if they peddled malware in the past I say.
I find any VPN company that pays influencers to talk about privacy, security and stolen credit cards suspicious from the get go. Especially when they do it on prevalent tech channels. And especially when they talk about the stolen credit cards. Selling people a false sense of security is something I dislike from the get go. They could list the potential uses without having to resort to that.
I know that it’s just my paranoia but I tend to assume any Internet service I don’t have a direct control of is logging things and will give up those logs when asked. (We’ve already seen plenty of that). I’d feel less safe tunneling over some company’s network than not doing it at all.
With that the use case I have for them is very limited. I prefer to route through my home network instead. That being said my ISP is not hostile to its users so I understand people who have one that is.
I mostly just use Pi-Hole to drop bad traffic, Quad9’s filtered endpoint over DNSCrypt and Ubiquiti’s built in threat defense and honeypot and AdGuard on the client side for some basic security and privacy and employ some common sense when browsing the internet.
I am so very confused with the recent ubiquity of VPN. I understand VPN. What happened that everyone needs or is at least being convinced they need VPN? Why has it become a product worth being marketed to consumers on every channel? Is this a bubble? Is it a money laundering scheme? Seriously, what is going on?
Bypassing country firewalls. Accessing Netflix content from other countries. Protecting yourself when torrenting.
It's also sold using the same scare tactics that Anti-Virus is sold. By making people think their connections are insecure unless they use a VPN. So it pulls in a lot of the less tech savvy people who will most likely just use it for Netflix and further encrypting their traffic.
I don't think it's a bubble because countries are trying to implement all these weird laws and monitor the internet more and more. The UK for example wanted to introduce identity checks for consuming Porn. They can't do that when you can VPN to some other country.
Are there any VPN services that actually do this? AFAIK all of them get blocked (i.e. they are known IPs). I've even tried to spin up a Digital Ocean server to route my traffic and Netflix blocked it.
ExpressVPN works for me. Can get netflix US in the UK and vice versa. Also Disney+, BBC and Amazon Prime. Works for all the streaming services I've tried tbh.
It seems to me that, at least speaking for the US, there is a massive demographic that is becoming increasingly skeptical and weary of "big tech", and VPN companies have targeted this demographic with panacea solutions to stop big tech's ability to track you, etc etc. ExpressVPN has been all over the air waves in conservative radio.
Although I don't mind people practicing safe hygiene, little do they know a VPN has very little to do with big techs ability to actually vacuum up data about them.
For me, I need it to actually pay taxes on my US properties from abroad. Many US tax authorities inexplicably block foreign traffic. Several paid services I use don't allow payments unless the card and the IP address are from the same country.
But by and large I agree, most people are duped into believing it's somehow more secure.
There are quite a few overlapping targets for VPNs:
- People that use Torrents
- People that travel (geo-restricted content, country level blocking of services/sites)
- Local firewalls that block things for no good reason.
- People that think a VPN keeps them safe from "bad guys".
I recently engaged in some infrastructure consulting work for a small startup(10 people). They're 100% distributed, no office, everything operates out of Google Drive, Docs, and Gmail.
One of the first questions they asked was if they need a VPN to keep their corporate communications and file transfers secure.
Accessing geo-restricted content is a minority of the VPN advertising that I come across. Most of the VPN marketing I see is a combination of "security and privacy", "online banking", "hackers", "private data", "snooping ISPs".
They won't advertise that they can access geo-restricted content like Netflix because Netflix is constantly cracking down on VPN providers and blacklisting IPs. But it's definitely one of the bigger use cases.
I've always thought it was like a smoke shop. They say their products are for tobacco but everyone knows what its really for. Same with VPN, they say it's for all those things above but accessing geo-restricted content seems like the real reason.
Well, if I see a list of "good privacy-focused VPNs" on like TorrentFreak, then I'm pretty sure that they mean "these VPNs are good to route your torrent traffic through". But I do actually doubt that people watching a video on YouTube are going to get the "watch Japanese Netflix on ButtVPN" subtext when the advertising blurp is "ButtVPN protects your online banking against hackers". It's not like it's actually illegally to promote a VPN for bypassing geoblocking, so if that was the main driver of customers, they'd really use it a lot more often.
They can't promise that because companies like Netflix constantly blacklist their IPs. They can make a general statement like "view geolocked content", but being specific and then not delivering will lead to a lot of resentment from new users.
Well it's either that or make every user an endpoint to go around the IP blacklist like that one provider did, but I can't remember which one.
Where to begin. I don’t trust my ISP not to interfere with my packets. In the UK, things like google and imgur get proxied through a centralised filtering engine, ISPs hijack your dns, throttle your traffic based on your activity, blacklist sites using DNS. Who knows what they’ll record for the government and the retroactive laws they may pass?
When nxdomains resulted in me landing on some page from my ISP, I started using a VPN. I'm perfectly fine with my ISP snooping my traffic IFF all they get is gibberish.
1. NSO Group aka the "use our tool to hack activists/political opponents"-as-a-service company, is founded by *former members of Israeli intelligence and their Unit 8200*.
2. Kape Technologies, whose software is labeled as malware by companies such as Malwarebytes and Symantec, founded by *former members of Israeli intelligence Unit 8200*
3. Black Cube, the spy-for-hire company that the likes of Harvey Weinstein hired to collect dirt on those suing him: founded by *former members of Israeli intelligence Unit 8200*
Needless to say, it's looking like using HolaVPN, an Israeli P2P VPN (founded by, you guessed it, *former members of Israeli intelligence*), is a colossally bad idea.
I'm fully aware that Unit 8200 alumni are very prolific when it comes to founding tech startups in Israel in general, but that doesn't change how brazen their industry is when it comes to selling sophisticated spyware to very bad people/governments.
> ExpressVPN says in a statement that it knew the 'key facts' of the employment history of one of its executives, Daniel Gericke. On Tuesday Gericke was revealed in court records to have worked on the UAE's hacking and spying operation
"Daniel has a deep understanding of the tools and techniques used by the adversaries we aim to protect users against, and as such is a uniquely qualified expert to advise on defense against such threats. Our product and infrastructure have already benefited from that understanding in better securing user data,"
Yeah it's a tricky one isn't it? On one hand many of the best security researches are ex-state employees, and many of them go from that into the private sector. On the other hand it makes it sound like they are friendly with potential adversaries.
People are also against to see an ex-spy employed by a company that promises (to some degree) to protect their customers from the abuses of such governments—there is also a moral angle to it. "Daniel has a deep understanding of the tools and techniques used by the adversaries" because, well, he was one of the adversaries. It's like a private security company employing a former criminal.
It's like a private security company employing a former criminal.
I mean... would you hire Kevin Mitnick's company? Lots of people do (apparently, considering they've been in business this long), but yet he's a former "criminal". It really is a tricky analysis. Who knows hackers better than a former hacker? But how can you trust a "former" hacker? Hmm...
I agree that the analysis is tricker though I disagree that Kevin Mitnick is an appropriate example—Mitnick is quite innocent in the scale of what Gericke’s employer (Signals Intelligence Agency [SIA]) has done[0][1], even if we were to exaggerate Mitnick’s crimes.
That's the reason for the quotes around "criminal" above. Mitnick turning "white hat" just happened to be the first (roughly) analogous example that popped to mind.
The threat model for "I want to watch Netflix in a different country than the one I'm in" is totally different from "I'm Edward Snowden and the CIA wants my ass". Consumer-grade VPNs protect against the first "threat" alright, but it's a totally different ball game to protect against an APT like the NSA/CIA, who will break into your VPN company's office in the middle of the night and replace all of the computer keyboards with exact replicas that have a keyloggers inside in order to get access to your data.
That's really all they're buying, right? The advertising budget, the name recognition, and the existing user contracts are the important things.
The software isn't anything special, and the hardware and network connections to actually run the VPN are probably a very small part of their margins - certainly not worth nearly 1 billion dollars.
Actually, it was one of the few VPNs that regularly worked to connect past the firewall in more rural China (outside Beijing/Shanghai/Shenzhen). Don't personally know (or have as much interest) about the state of things now.
Pure speculation, but I would guess that it may make practical sense for the party to relax the firewall in places where access to internet resources abroad could be more necessary for economic reasons.
The much heavier traffic and variety of traffic in urban areas probably means looser rules. Even if just to reduce the noise for the great firewall admins.
It’s not about heavier traffic. China literally has different rules for different parts of the country, different ISPs, different wireless providers (especially foreign versus domestic), etc.
Just the sort of thing you see in the real world. It's much easier to lock down access for a network with less people using it.
A network with more people starts to find all the edge cases where your lock-down rules break legitimate things, which results in calls to your boss from people with the clout to make you change stuff.
Similar for reporting, alerting, etc. Volume and variety of traffic can force you to be more lenient in larger networks. Or lose any real effectiveness because your signal/noise ratio is now bad.
I don't remember the specifics, but there were a lot of different packet types (eg UDP not just TCP) and protocols that ExpressVPN used to negotiate and transfer data. I'm sure there was quite a bit of cat-mouse, but I also assumed that there might be a symbiotic (or more) connection between Chinese security and ExpressVPN. I just wanted things to work, and didn't care so much about the actual "privacy" of the tunnel.
these are valid questions to ask but I'd be wary of falling into this very common trap that I see on HN, which is dismissing the sophistication of a product based on, well, nothing really. Given that another company was willing to pay $1b, and given that this is a free market, do you think it's more likely that ExpressVPN was simple and "not special", or that there is actually some substance there?
Let's presume you are correct; is they idea that they are then special in a way that PIA isn't? This is just like when your local supermarket gets purchased by a company that owns other nearby supermarkets to be folded into their brand: they want the location and the customers that visit it, not some interesting innovation they heard you have been hiding for how to run your supply chain.
It’s a bit like saying “but getting to the moon is just a bit of metal and fuel”.
Execution is everything. And there are no guarantees when it comes to execution. That’s what the cost of acquiring an otherwise “simple” business is: the cost to guarantee successful execution of a business/product plan.
You're suggesting that either ExpressVPN was a really good business with sophisticated secret sauce, strong technical chops, and capital assets probably worth $1B (validated by people with lots of money being willing to pay for it), or that I and other HN commenters are wrong about the sophistication and it's really worth peanuts because OpenVPN can be run on most routers or any Linux box.
The latter is obviously false, but the former is not necessarily true - instead, what I and other users are pointing out is that they're really selling is their users, and implying that the buyer expects to be able to extract more than $1,000,000,000.00 of value from them. As you pointed out, you see this sort of comment when a social network or many other kinds of startups with lots of users are sold.
The point is that the users are the product in this transaction.
Nice. The NSA has to spend billions to wiretap the internet and fish for valuable data. Kape only spends 1B and has probably a much higher percentage of traffic they are interested in. And the best thing is the users are actually paying them...
They are trying to capture the people leaving from Express VPN. There probably was a small exodus when PIA was bought and they learned from it. Meanwhile, I'm a happy PIA customer and just got a new 3 year contract.
I let my PIA account expire after the purchase, but there's a reasonable argument for "any shadowy figures siphoning their info aren't in my threat model."
If you're Joe Schmoe who just wants to not get nastygrams over using Popcorn Time or a tweaked Kodi box pulling movies from torrent sites, you may be a lot more concerned about hiding your usage from your ISP than you are from some foreign government that doesn't care about you. For that user, PIA (or ExpressVPN, or NordVPN, or whoever else is out there) may be a perfectly viable option.
I'm not convinced that Kape is a worse owner, the evidence was weak. In addition, they sell privacy. If they stop respecting privacy they go under. If they start storing data they legally have to hand it over when being asked by law enforcement, which would expose that they stored it.
A lot of users and in-video sponsor spots that will never go away (YouTubers can edit them out using YT Studio but the sponsorship contract might impose restrictions on if/when they can remove it).
This is like your kids' daycare being taken over by the local pastor who, not long ago, was caught in the act with minors under his care (and since promised to do better - with nothing much to show for it).
I only use Express to watch Tv overseas or access websites that are blocked by my ISP, but it makes me uneasy to know that shady characters are ultimately controlling this service in locations governed by unsavoury governments.
Eh, their revenue was $279 million, and profits at $75m. Growth at 30% p.a. so it really depends how long-term their investment outlook is and how much they believe growth will continue.
Particularly considering they own multiple VPN providers, so can probably squeeze overheads to increase margins, and also that much market control might allow you to increase prices across all brands you own due to reduced competition (as long as you don't tell anyone that's what you are doing - naughty naughty).
Of course foreign governments are already at the heart of all these VPN providers anyway.
With the rise of dictatorships worldwide and the complete inability of liberal democracies to fight back, I would guess there's a lot of growth in this market
I'd hope not, but I don't think it's a necessary conclusion. Most subscribers to VPN companies pay $5 or more a month and use almost zero bandwidth (basically just opening Facebook and Twitter here and there), and so it's easy to throw literally thousands of them onto a single high-throughput dedi. The ones with good marketing are very high-margin companies with a high LTV.
Love Windscribe. At a time when I wasn't able to afford a subscription, they were one of the very few services with a free plan that didn't look shady.
I have since been a happy paying customer and also recommended it to a couple of my friends.
I'm saddened to see that "thatoneprivacysite", once a comprehensive database of VPNs and their policies, now redirects to some scammy-looking "review" site that that pimps ExpressVPN right at the top of the front page.
A shame.
It looks like the next-best guide that hasn't been corrupted by referral money is privacytools.io, which currently recommends Mullvad, ProtonVPN, and IVPN. https://www.privacytools.io/providers/vpn/
Pretty sure a large chunk of these VPN users are just using it to avoid DMCA notices when torrenting. Rolling your own VPN doesn't get you around this.
My NAS runs in my house. While I do have a VPN to connect when away, I don't particularly care for my ISP seeing all my traffic or being tracked by the entire web. I use Mullvad to try to achieve some semblance of privacy.
> I don't particularly care for my ISP seeing all my traffic or being tracked by the entire web. I use Mullvad to try to achieve some semblance of privacy.
But VPNs don't enhance your privacy though - you're trading your ISP's snopping for your VPN operator's snooping - and TLS makes it all irrelevant.
Yes, I need to trust the VPN provider and that's a trade I'm willing to make. My ISP has my name, address, DOB, and my SSN. My VPN provider has none of those things.
TLS solves part of the problem with ISP snooping, sure. The ISP does still know which IPs I'm accessing though and since SNI information isn't encrypted, so they may even know the hostname. There's more to it than reading the contents of sites I visit.
I'm also not fond of my ISP-issued IP trivially pin-pointing the town I live in. I'm less fond of the way trackers and advertisers use that information. Routing my traffic through a VPN addresses that point as well.
Maybe some day we'll see wide deployment of IPv6 addresses that don't reveal geographic location. Maybe some day we'll have encrypted SNI everywhere. Maybe some day 100% of all network traffic, HTTP or otherwise, will use TLS. But, we're not there today. A VPN provider is a nice stopgap measure.
I'd argue that is an enhancement of my privacy. It's had a nice secondary benefit of avoiding ISP throttling or peering disputes.
However, their software was treated as malware by companies such as Malwarebytes and Symantec begging one to ask, how can such a company despite rebranding itself change the shoddy culture that it had?
But the connections don’t end there. The very first CEO of Crossrider, Koby Menachemi, happened to be once a part of Unit 8200 which is an Israeli Intelligence Unit in their military and has also been dubbed as “Israel’s NSA.” Teddy Sagi, one of the company’s investors was mentioned in the Panama Papers which were leaked in 2016."
https://www.hackread.com/israeli-firm-kape-technologies-expr...