Search found 119 matches

by Graze
Fri Mar 18, 2016 10:08 am
Forum: general chat, suggestions, industry news
Topic: Twitter Feed
Replies: 4
Views: 22430

Re: Twitter Feed

SCREEN NAME! wrote:Feedback:

The twitter feed appears to be being ran by a 14 year old girl; one with a deep love of cute animals and pretty scenes. Yeah, there are links to things technical, but with more than a whiff of annoying FB sharer.

No problem. You're welcome. Happy to help. :D
Twitter Is Srs Business!

We'll get that fixed, straightaway.

j/k :thumbup:
by Graze
Wed Mar 16, 2016 8:35 am
Forum: DeepDNS - cryptostorm's no-compromise DNS resolver framework
Topic: TrackerSmacker: adware/crapware-blocking done right
Replies: 67
Views: 348899

This is likely a bit of a misfire, or looks like one in any case:
Screenshot (45).png
by Graze
Tue Sep 22, 2015 11:22 pm
Forum: cryptostorm reborn: voodoo networking, stormtokens, PostVPN exotic netsecurity
Topic: LOCKED: alpha token batch
Replies: 27
Views: 186634

Re: alpha token batch, official release

cryptostorm_dev wrote:For $56 (plus, enigmatically, a "shipping charge" of $3.50 that nobody can explain... but seems appropriately mysterious for the voodoo deploy)...
by Graze
Fri Sep 04, 2015 1:17 pm
Forum: general chat, suggestions, industry news
Topic: cryptostorm's #HackedTeam mirror
Replies: 1
Views: 18015

Apparently too much for twitter's automated nannybots? :-P

Welp, so much for tweeting the good news. Wonder which one is the keyword that triggers the nannybots?
by Graze
Wed Apr 08, 2015 6:14 pm
Forum: crypto, VPN & security news
Topic: [via SMH] Beware Australian downloaders! - here comes the screw tightening!
Replies: 1
Views: 15556

[via SMH] Beware Australian downloaders! - here comes the screw tightening! ... mey38.html

Ben Grubb
Technology editor
Sydney Morning Herald

RAW VISION: "this is just the first step in the process" says Michael Bradley, the lawyer representing Dallas Buyers Club in landmark piracy case.

A Federal Court judge has ordered several Australian internet service providers, including iiNet, to hand over to a film studio the identities of thousands of account holders whose internet connections were allegedly used to share without authorisation the Dallas Buyers Club movie.

In a landmark judgment delivered on Tuesday afternoon, Justice Nye Perram ruled in favour of Dallas Buyers Club LLC's "preliminary discovery" application requesting that the ISPs disclose the identities of people it alleges shared the movie online.
The studio behind Dallas Buyers Club wants to identify those who pirated the film.

The studio behind Dallas Buyers Club wants to identify those who pirated the film.

In addition to iiNet, ISPs Dodo, Internode, Amnet Broadband, Adam Internet and Wideband Networks will also be required to hand over customer details.

It was unclear on Tuesday whether iiNet and the other ISPs would appeal the decision before the Full Court of the Federal Court. They will have 28 days to do so.

"It's a good outcome, we got the result we were seeking," Michael Bradley, a lawyer representing Dallas Buyers Club in the case, said outside the court.

The ruling means about 4700 Australian internet account holders whose service was used to share Dallas Buyers Club on the internet from as early as May 2013 are soon likely to receive legal letters from Dallas Buyers Club LLC's Australian lawyers threatening legal action.

This occurred in the US, where legal action was threatened against account holders claiming they were liable for damages of up to $US150,000 ($196,656) in court unless settlement fees of up to $US7000 ($9171) were paid. This practice is commonly referred to as "speculative invoicing".

But in a win for iiNet and the other Australian ISPs, Justice Perram ordered that any letters sent to alleged illicit pirates must first be seen by him. He said this would "prevent speculative invoicing", which under Australian may not be lawful.

"Whether speculative invoicing is a lawful practice in Australia is not necessarily an easy matter to assess," Justice Perram said, before stating that it may constitute misleading and deceptive conduct as well as unconscionable conduct.

The judge also ordered that the privacy of individuals should be protected, meaning Dallas Buyers Club cannot disclose the identities of alleged pirates.

Justice Perram foreshadowed he would order that Dallas Buyers Club pay the ISPs' legal costs, as well as the costs of searching for documents identifying alleged pirates.

iiNet chief David Buckingham said he was pleased with the result and some of the protections the judge put in place for consumers, despite the fact they can still be identified and sued as a result of the judgment.

"By going through the process we've been able to ensure that our customers will be treated fairly and won't be subjected to the bullying that we have seen happen elsewhere," Mr Buckingham said.

The case, heard by Justice Perram over three days in February, centred on whether Dallas Buyers Club LLC should be given access to details of internet account holders whose connections it alleges were used to share its movie using peer-to-peer file sharing software such as BitTorrent.

The details to be handed over include names and residential addresses of those whose connections were allegedly used to share the film.

During the case, Michael Wickstrom, vice president of royalties and music administration at Voltage Pictures, the parent company of Dallas Buyers Club LLC, objected to iiNet providing examples of the speculative invoicing letters sent in similar US cases, stating that in Australia the format of the letters would be different.

The letters sent to Australians would be made so that they complied with local laws, he said.

But Mr Wickstrom and Dallas Buyers Club LLC's lawyer did not provide examples of what the letters would look like here.

"I would give [Australian lawyers] some examples to say 'Is this sufficient for Australia or does it need to be changed?' " he said.

Mr Wickstrom also said the company would not sue or attempt settlement with an autistic child, people who were handicapped, welfare cases, or people who have mental issues.

To uncover the alleged pirates, Dallas Buyers Club LLC, through Voltage Pictures, tasked German-based pirate-hunting firm Maverick Eye UG to identify those who were sharing the movie online.

Maverick Eye joined torrent "swarms" that were sharing Dallas Buyers Club and then tasked its software to log the Internet Protocol (IP) addresses of those who distributed the movie without authorisation and in breach of copyright laws. A total of 4726 IP addresses were identified.

Dallas Buyers Club LLC then contacted iiNet and other ISPs, asking them to divulge customer details associated with those IP addresses without a court order — but the ISPs refused.

It then sought to have the ISPs disclose customer details in the Federal Court through the preliminary discovery application process, which is often used by parties to a case where the identity of the person or company they want to take legal action against is unknown but can be discoverable through a third-party.

But iiNet sought to challenge the request on grounds it would lead to speculative invoicing, whereby alleged infringers are sent letters of demand seeking significant sums for infringement. These letters often threaten court action and point to high monetary penalties if sums are not paid.

"We are concerned that our customers will be unfairly targeted to settle any claims out of court using [this] practice," iiNet said in a blog post about the legal action last year.

The ISP also argued that customers could be incorrectly identified as alleged infringers if details of the account holder were revealed. For example, the relevant IP address could have originated from a person in a shared household where someone other than the account holder infringed copyright, it said.

iiNet also argued it wanted to fight the matter because Australian courts had never tested a case like this one before.

Now that the judge has ordered iiNet and other ISPs to hand over the details, it opens the floodgates for other rights holders to do the same thing - track who is sharing their content on the internet and then get courts to order the handing over of the identities of suspected pirates.

But whether other rights holders do this remains to be seen.

The judgment comes as the Abbott government begins cracking down on internet piracy.

Just two weeks ago it introduced a website-blocking bill into parliament that has since been sent to a parliamentary committee for scrutiny. The bill allows rights holders to apply to a judge for an injunction that would require ISPs to block access to "online locations" overseas that facilitate copyright infringement.

The government has also asked ISPs and rights holders to come to an agreement by this Wednesday on a code to tackle online piracy which must involve sending alleged copyright infringement notices to consumers.

More relevantly, it includes a process for "facilitated discovery" to assist rights holders in taking direct copyright infringement action against a subscriber after an agreed number of alleged infringement notices are sent.

Tuesday's judgment is likely to guide how future discovery applications are made.

A similar case involving Dallas Buyers Club and Brisbane-based data centre and wholesale broadband provider iseek communications will have a directions hearing on April 14, where it's expected, according to tech publication ZDNet, there won't be a challenge by iseek to divulge details.
by Graze
Thu Feb 12, 2015 4:55 am
Forum: general chat, suggestions, industry news
Topic: Is Onyx Partially Broken?
Replies: 2
Views: 7579

Re: Is Onyx Partially Broken?

Was talking to the network geeks - they will check if anything is up in a few minutes.

Thanks for the "heads up"!
by Graze
Sun Feb 01, 2015 5:49 pm
Forum: general chat, suggestions, industry news
Topic: browser fingerprinting: research, defences, future avenues of development
Replies: 39
Views: 108293

Browser Fingerprinting and the Online-Tracking Arms Race

Browser Fingerprinting and the Online-Tracking Arms Race
Web advertisers are stealthily monitoring our browsing habits—even when we tell them not to
By Nick Nikiforakis & Günes Acar | IEEE Spectrum
Posted 25 Jul 2014 | 15:00 GMT

In July 1993, The New Yorker published a cartoon by Peter Steiner that depicted a Labrador retriever sitting on a chair in front of a computer, paw on the keyboard, as he turns to his beagle companion and says, “On the Internet, nobody knows you’re a dog.” Two decades later, interested parties not only know you’re a dog, they also have a pretty good idea of the color of your fur, how often you visit the vet, and what your favorite doggy treat is.

How do they get all that information? In a nutshell: Online advertisers collaborate with websites to gather your browsing data, eventually building up a detailed profile of your interests and activities. These browsing profiles can be so specific that they allow advertisers to target populations as narrow as mothers with teenage children or people who require allergy-relief products. When this tracking of our browsing habits is combined with our self-revelations on social media, merchants’ records of our off-line purchases, and logs of our physical whereabouts derived from our mobile phones, the information that commercial organizations, much less government snoops, can compile about us becomes shockingly revealing.

Here we examine the history of such tracking on the Web, paying particular attention to a recent phenomenon called fingerprinting, which enables companies to spy on people even when they configure their browsers to avoid being tracked.

The earliest approach to online tracking made use of cookies, a feature added to the pioneering Web browser Netscape Navigator a little over a year after Steiner’s cartoon hit newsstands. Other browsers eventually followed suit.

Cookies are small pieces of text that websites cause the user’s browser to store. They are then made available to the website during subsequent visits, allowing those sites to recognize returning customers or to keep track of the state of a given session, such as the items placed in an online shopping cart. Cookies also enable sites to remember that users are logged in, freeing them of the need to repeatedly provide their user names and passwords for each protected page they access.

So you see, cookies can be very helpful. Without them, each interaction with a website would take place in a vacuum, with no way to keep tabs on who a particular user is or what information he or she has already provided. The problem came when companies began following a trail of cookie crumbs to track users’ visits to websites other than their own.

How they do that is best explained through an example. Suppose a user directs her browser to a travel website—let’s call it—that displays an advertising banner at the top of the page. The source of that banner ad is probably not itself. It’s more likely located on the Web servers of a different company, which we’ll call As part of the process of rendering the page at, the user’s browser will fetch the banner ad from

Here’s where things get sneaky. The Web server of sends the requested banner ad, but it also uses this opportunity to quietly set a third-party cookie on the user’s browser. Later, when that same user visits an entirely different website showing another ad from, this ad supplier examines its previously set cookie, recognizes the user, and over time is able to build a profile of that user’s browsing habits.

Today on the Internet, interested parties not only know you’re a dog, they also have a pretty good idea of the color of your fur.
You might ask: If this brings me more relevant online advertisements, what’s the harm? True, online tracking could, in principle, help deliver ads you might actually appreciate. But more often than not, the advertisers’ algorithms aren’t smart enough to do that. Worse, information about your Web browsing habits can be used in troubling ways. A car dealer you approach online and then visit in the flesh, for example, could end up knowing all about your investigations, not only of its inventory but of all the other car-related websites you’ve been checking out. No wonder such tracking has garnered a reputation for being creepy.

Not long after the use of third-party tracking cookies became common, various media outlets and privacy organizations began questioning the practice. And over the years, people have increasingly come to appreciate that the set of websites they visit reveals an enormous amount about themselves: their gender and age, their political leanings, their medical conditions, and more. The possession of such knowledge by online advertising networks, or indeed by any company or government agency that purchases it from those networks, comes with potentially dire consequences for personal privacy—especially given that users have no control of this very opaque process of data collection.

It should come as no surprise that some of the early news articles about advertisers’ use of cookies had headlines announcing “the death of privacy” and made allusions to George Orwell’s all-seeing Big Brother. Even the programmers and engineers involved in the development of technical standards got an earful.

In particular, in 1997 a coalition of privacy organizations wrote an open memo to the Internet Engineering Task Force (sending copies to the leading browser developers) that expressed their support for the first cookie standard, RFC 2109, which stated that third-party cookies should be blocked to “prevent possible security or privacy violations.” But advertising companies pushed back harder. And in the end, neither of the two mainstream browsers of that era, Netscape Navigator and Internet Explorer, followed the specification, both allowing third-party cookies.

The winds began to shift in 2005, though, when browser developers started adding a “private browsing” mode to their products. These give users the option of visiting websites without letting those sites leave long-term cookies. Independent developers, too, started producing privacy-preserving extensions that users could add to their browsers.

Today, the most popular extension to Mozilla’s Firefox browser is AdBlock Plus, which rejects both ads and third-party cookies used for tracking. And recently developed tools like Ghostery and Mozilla’s Lightbeam reveal the number of trackers on each website and show how these trackers collaborate between seemingly unrelated sites. Finally, recent studies have shown that a large percentage of people delete their browser cookies on a regular basis, a fact that points to their having at least some understanding of how cookies can compromise privacy online.

But when people started deleting their cookies, the companies involved in tracking didn’t just roll over. They responded by developing new ways of sniffing out users’ identities. Most had one thing in common: They tried to bury the same tracking information found in cookies in some other corner of the user’s browser.

One popular technique was to use Flash cookies. These are conceptually similar to normal cookies, but they are specific to Adobe’s Flash plug-in. In the past, a website could hide information in Flash cookies, which would survive the clearing of normal cookies. The information retained in the Flash cookies would then be used to regenerate the deleted normal cookies. Companies made use of this sneaky tactic for a few years before researchers caught on [PDF] and started publicizing these shady practices in 2008. Today, most browsers give users the ability to delete all flavors of cookies.

Taking Your Print
In the past, clearing cookies after each session or selecting your browser’s “Do Not Track” setting could prevent third-party tracking. But the advent of browser fingerprinting makes it very difficult to prevent others from monitoring your online activities. The diagram above outlines how an online advertising network can track the sites you visit using fingerprinting.

As you might expect of this long-standing cat-and-mouse game, the advertising networks have not sat idle. In recent years, they have shifted to a form of tracking that doesn’t require Web servers to leave any kind of metaphorical bread crumb on the user’s machine. Instead, these ad networks rely on a process known more generally as device fingerprinting: collecting identifying information about unique characteristics of the individual computers people use. Under the assumption that each user operates his or her own hardware, identifying a device is tantamount to identifying the person behind it.

While this all sounds very sinister, it’s important to realize that such fingerprinting has some very benign, indeed laudable, applications. It can be used, for example, to verify that someone logging into a Web-based service is not an attacker using stolen log-in credentials. Fingerprinting is also helpful for combating click fraud: Someone displays an advertisement on his website in return for payment each time that ad is clicked on—and then tries to run up the bill by having an identity-feigning computer click many times on the ad. The problem is that fingerprinting has become so precise that it makes a sham of browsers’ privacy-protection measures.

In 2010, Peter Eckersley of the Electronic Frontier Foundation showed that tracking various browser attributes provided enough information to identify the vast majority of machines surfing the Web. Of the 470,000-plus users who had participated at that point in his public Panopticlick project, 84 percent of their browsers produced unique fingerprints (94 percent if you count those that supported Flash or Java). The attributes Eckersley logged included the user’s screen size, time zone, browser plug-ins, and set of installed system fonts.

We have expanded on Eckersley’s study by examining not just what kinds of fingerprinting are theoretically possible but, more to the point, what is actually going on in the wilds of the Internet’s tracking ecosystem. We started our analysis at the University of Leuven, in Belgium, by first identifying and studying the code of three large fingerprinting providers: BlueCava, Iovation, and ThreatMetrix.

The results were rather chilling. The tactics these companies use go far beyond Eckersley’s probings. For instance, we found that one company uses a clever, indirect method of identifying the installed fonts on a user machine, without relying on the machine to volunteer this information, as Eckersley’s software did.

We also discovered fingerprinting code that exploits Adobe Flash as a way of telling whether people are trying to conceal their IP addresses by communicating via intermediary computers known as proxies. In addition, we exposed Trojan horse–like fingerprinting plug-ins, which run surreptitiously after a user downloads and installs software unrelated to fingerprinting, such as an online gambling application.

With the information we gathered about these three companies, we created and ran a program that autonomously browses the Web and detects when a website is trying to fingerprint it. The purpose of this experiment was to find more players in the fingerprinting game, ones less well known than the three we studied initially.

We quickly uncovered 16 additional fingerprinters. Some were in-house trackers, used by individual companies to monitor their users without sharing the information more widely. The rest were offered as products by such companies as Coinbase, MaxMind, and Perferencement.

And it seems the companies selling this software are finding buyers. Our results showed that 159 of Alexa’s 10,000 most-visited websites track their users with such fingerprinting software. We also found that more than 400 of the million most popular websites on the Internet have been using JavaScript-only fingerprinting, which works on Flash-less devices such as the iPhone or iPad. Worse, our experiment revealed that users continue to be fingerprinted even if they have checked “Do Not Track” in their browser’s preferences.

Browser fingerprinting is becoming common, and yet people are mostly in the dark about it. Even when they’re made aware that they’re being tracked, say, as a fraud-protection measure, they are, in essence, asked to simply trust that the information collected won’t be used for other purposes. One of those is targeted advertising, which works even when users switch into their browsers’ private mode or delete their cookies. What are those unwilling to go along with this new form of tracking doing about it?

As part of our research on browser fingerprinting, we examined various tools that people are using to combat it. One popular approach is installing browser extensions that let you change the values that identify your browser to the server. Such modifications allow users to occasionally trick servers into dishing out pages customized for different browsers or devices. Using these extensions, Firefox devotees on computers running Linux, for example, can pretend to be Internet Explorer fans running Microsoft Windows. Other extensions go further, reporting false dimensions for the screen size and limiting the probing of fonts.

Our analysis showed that a mildly accomplished fingerprinter could easily overcome any of these supposedly privacy-enhancing browser extensions. That’s because modern browsers are huge pieces of software, each with its own quirks. And these idiosyncrasies give away the true nature of the browser, regardless of what it claims to be.

This makes those privacy-protecting extensions useless. In fact, they are worse than useless. Resorting to them is like trying to hide your comings and goings in a small town by disguising your car. If you get a rental, that might work. But if you merely replace the chrome lettering on your Prius with lettering taken from the back of a Passat, not only will your ruse be obvious, you will have now marked your car in a way that makes it easy to distinguish from the many other Priuses on the road. Similarly, installing such a fingerprint-preventing browser extension only makes you stand out more.

Given that advertising is the Web’s No. 1 industry and that tracking is a crucial component of it, we believe that user profiling in general and fingerprinting in particular are here to stay. But more-stringent regulations and more-effective technical countermeasures might one day curb the worst abuses.

We and other researchers are indeed trying to come up with better software to thwart fingerprinting. A straightforward solution might be to stop the fingerprinting scripts from ever loading in browsers, similar to the way ad blockers work. By maintaining a blacklist of problematic scripts, an antifingerprinting extension could detect their loading and prohibit their execution.

One challenge is that the blacklist would have to be revised constantly to keep up with the changes that trackers would surely make in response. Another issue is that we don’t know whether the loading of fingerprinting scripts is necessary for the functionality of certain websites. Even if it’s not required now, websites could be changed to refuse loading of their pages unless the fingerprinting scripts are present and operational, which would discourage people from trying to interfere with them.

A more effective way of approaching the problem would be for many people to share the same fingerprint. To some extent that is happening now with smartphones, which can’t be customized to the degree that desktop or laptop computers can. So phones currently present fewer opportunities for fingerprinters. It might be possible to make other kinds of computers all look alike if Web browsing were done through a cloud service, one that treats the browser running on the user’s PC simply as a terminal. Trackers would then be able to detect only the cloud browser’s fingerprint.

Companies offering cloud-based browsing already exist, but it’s not clear to us whether the browsers that are exposed to potential fingerprinters actually operate in the cloud. Still, there’s no reason to think that a system for preventing fingerprinting with a cloud browser couldn’t be engineered. For some of us, anyway, it could be worth adopting, even if it involved monthly charges. After all, doing nothing has a price, too—perhaps one as steep as forfeiting online privacy for good.

This article originally appeared in print as “Browse at Your Own Risk.”

About the Authors

Nick Nikiforakis, who joins the faculty of New York’s Stony Brook University in September, works at the University of Leuven, in Belgium, where coauthor Günes Acar is a Ph.D. student. Nikiforakis was raised in Greece, where the Muppets are somewhat obscure, but he sometimes refers to the creepy new technique as a “cookieless monster”—an apt label if you value your privacy.
by Graze
Thu Jan 22, 2015 2:17 pm
Forum: crypto, VPN & security news
Topic: EU Counter-Terrorism Coordinator - justifying surveillance 101
Replies: 0
Views: 11357

EU Counter-Terrorism Coordinator - justifying surveillance 101

Council of the European Union
General Secretariat
Brussels, 17 January 2015

From: EU Counter-Terrorism Coordinator
To: Delegations

EU CTC input for the preparation of the informal meeting of Justice and
Home Affairs Ministers in Riga on 29 January 2015
(56.07 KiB) Downloaded 622 times
This is a first paper for discussion in COSI on 20 January 2015. It does not yet include the
Commission’s proposals which will be discussed in the College on 21 January, nor the
contributions from the Member States. The document which will be submitted to the informal
meeting of JHA ministers in Riga on 29/30 January will be shorter, include the outcome of the
COSI discussions as well as contributions from the Member States and the Commission.
Europe is facing an unprecedented, diverse and serious terrorist threat. The horrific attacks that took
place in Paris between 7 and 9 January 2015 were followed by an unprecedented show of unity by
millions of citizens in France and across Europe as well as a show of solidarity and political will by
many EU and world leaders. In addition to action from the national governments, citizens are
looking to the European Union to provide an ambitious response. Core European values have been
attacked, in particular freedom of speech. The EU has to respond with meaningful action. Failure to
do so could result in disillusionment of citizens with the EU.
At the EU level, work is already well on track and a lot is in the pipeline. However, as was the
consensus in COREPER on 15 January 2015, now we need to mobilize the political will to amplify
and accelerate implementation of measures which have already been decided by the Council since
June 2013 and make better use of existing EU mechanisms, including the EU's revised Strategy for
Combating Radicalisation and Recruitment to Terrorism and its guidelines.
We need to focus on sustainable and long term policies that increase the overall resilience of our
societies in dealing with radicalisation and terrorism. In order to build this resilience, we need to not
only target the response to terrorism but also have a strong focus on long term prevention of
radicalisation. Past and current events have shown us the importance of including a strong
cooperation and exchange with civil society in these policies.
The declaration adopted by the Ministers of Interior present in Paris on 11 January 20151
is an
excellent basis for the EU's further work and should be endorsed and implemented by the EU.
On this basis and following, the discussion in COREPER on 15 January 2015 as well as further
consultations with Member States, the current note sets out priorities which should be taken forward
urgently. They should be examined at the informal meeting of JHA ministers in Riga on 29 January,
with a few to submitting a meaningful package of measures to the meeting of Heads of States and
Government on 12 February.
Coherence between the internal and external work is crucial. Given the parallel work of the FAC
where suggestions for action will also be developed, this note does not include suggestions for the
external side. This external aspects of JHA will be included in the note prepared for the informal
JHA ministerial meeting in Riga on 29 January (after the FAC).
1. Prevention of radicalization
a) Internet
The EU and its Member States have developed several initiatives related to countering
radicalisation and terrorism on the internet, ranging from developing and promoting counter
narratives to engaging in high-level dialogue with the industry and several Member States, led by
the Netherlands, have started to develop informal joint policies on social media and the legal
framework related to internet and counter-terrorism. It is important to draw on these initiatives and
identify what actions can be stepped-up to increase the EUs effectiveness.

The Commission should deepen the engagement with the internet companies. The Forum with
representatives from the EU institutions, Member States and industry counterparts to discuss
terrorism in full compliance with human rights should be set up quickly. The Forum could also
explore joint training and workshops for representatives of the law enforcement authorities, internet
industry and civil society. A dialogue with the internet companies is necessary at both EU and at
international level. In this context, further cooperation with the US could be explored.
Working with the main players in the internet industry is the best way to limit the circulation of
terrorist material online. We should build on the existing relationships between the major platforms,
Member States and the EU institutions in order to develop a stronger joint response.
We should build on the positive industry response, of which the UK Counter-Terrorism Internet
Referral Unit (CTIRU) work2
is an excellent example, and also on the successful models in some
other Member States. There are options to take this forward at a national level and/or to work
together with other states and industry partners to further limit the use of the internet by terrorist
- Member States should consider establishing similar units to the UK CTIRU and replicate
relationships with the main social media companies to refer terrorist and extremist content which
breaches the platforms’ own terms and conditions (and not necessarily national legislation).
- Member States should also consider what role the EU can play. For those Member States
which do not yet have a national capability, EU involvement in referring terrorist and extremist
content to social media platforms for removal could make a difference. Consideration should be
given to a role for Europol in either flagging or facilitating the flagging of content which
breaches the platforms’ own terms and conditions. These often go further than national
legislation and can therefore help to reduce the amount of radicalising material available online.’ In
this context, Europol's Check the Web project could be beefed up to allow for monitoring and
analysis of social media communication on the internet.

CTIRU continues to work with social media platforms to flag terrorist and extremist content to them which
breaches their own terms and conditions. Since February 2010, social media platforms and other parts of the
internet industry have voluntarily removed 72,000 pieces of terrorist content following referrals from CTIRU
because they have agreed that the content represents a breach of their rules. The main players have started to
improve their response and held a training event for the smaller platforms on this issue in December. The UK is
committed to sharing its experience across the EU.
The Commission should examine the legal and technical possibilities to remove illegal content
and make proposals for a common approach, in full compliance with fundamental rights.
In the law enforcement and judicial context, cross-border information about owners of IP addresses
can take very long to obtain, given the need to use MLAE tools. The Commission should be invited
to consider ways to speed up the process. In the meantime, existing best practices in the Member
States to deal with this issue could be collected and shared. Eurojust could facilitate this process, as
discussed at the Eurojust Strategic Meeting on Cybercrime held on 19-20 November 2014 in The
As proposed in the EU Strategy for Combating Radicalisation and Recruitment to Terrorism,
internet safety education in schools should be improved to ensure that the dangers of online
activity and potential to radicalisation and recruitment are highlighted and addressed appropriately
and consistently. In this context, Sweden could be invited to share its experience with training to
strengthen the critical thinking skills of young people with regard to the internet.
b) Strategic Communications
Member States and EU institutions are encouraged to develop strategic communications and
counter-narrative policies, making maximum use of the already existing Syria Strategic
Communications Advisory Team (SSCAT). Member States should develop positive, targeted and
easily accessible messages.
The Commission, in cooperation with Belgium, could convene urgently a meeting of the SSCAT
network and Member States to brainstorm proposals for national/pan-European/cross-border
communications efforts in the coming weeks, building on the unprecedented public response to the
Paris attacks and the mobilization of civil society. Proposals should be refined in time for the
informal JHA Ministerial meeting. The Commission might consider emergency funding in support
to this end.
With regard to counter-narratives, training to civil society organisations to exploit their online
potential is important. The RAN Center of Excellence in cooperation with industry could explore
to provide this.
Drawing on the experience of the EU's Fundamental Rights Agency (FRA), the EU should develop
and implement a communication and outreach strategy with regard to fundamental rights and
values. It is therefore important to also step-up our efforts to counter all kinds of extremism,
including the anti-Islamism and right-wing extremism, and continue to promote tolerance and
solidarity throughout the EU. We can build on the positive message that was echoed by the
majority of EU citizens in response to the Paris attacks.
It is important to engage in dialogue with Muslim communities in Europe. The Commission could
be tasked to draw on the expertise of the RAN Centre of Excellence and the BEPA to facilitate this.
The Commission, drawing on the experience of the FRA, could be tasked to develop dialogue with
Muslim communities on freedom of speech and expression and assist the Member States to do
so. The FRA could be invited to present suggestions for integration and non-discrimination of
c) Underlying factors of radicalization
The Commission should be invited to mobilize all relevant departments and resources to develop a
comprehensive package to assist Member States to address the underlying factors of
radicalization and support initiatives across the EU with regard to education, vocational training,
job opportunities, integration.
d) Dis-engagement, rehabilitation, de-radicalization
As discussed at the December 2014 JHA Council, de-radicalization, disengagement and
rehabilitation programmes, including in prison and as alternative to prison in the judicial context,
should be developed. The Commission should be asked to examine how best such judicial
rehabilitation and disengagement programmes could be set up and facilitate the sharing of best
practices and consider support to such projects, including financial, drawing on the experience of
the RAN Centre of excellence and Eurojust.
The Commission should speed up the establishment, amplify and project also to third countries the
RAN Centre of Excellence. The RAN Centre of Excellence should be in a position as soon as
possible to provide expert advice to Member States to set up programmes. Member States are
encouraged to develop at national level similar multidisciplinary networks which allow to exchange
good practices and coordinate efforts.
2. Border controls
Schengen is part of the solution, not the problem. The free movement inside the Schengen area is
one of the major achievements and values of the EU. To maintain Schengen and at the same time a
high level of security, controls at the Schengen external borders have to be strengthened.
Work engaged under the auspices of the Commission to step up the detection and screening of
travel movements by European nationals crossing the Schengen external borders should be swiftly
finalized. To that end, Member States will more extensively detect and monitor certain passengers
based on objective, concrete criteria which respect smooth border crossings, fundamental liberties
and security requirements. Common risk indicators and criteria will systematically be implemented
across the Schengen area.
In addition, the Commission could be invited to present a proposal in a timely fashion to amend the
rules of the Schengen Borders Code to allow for broader consultation of the Schengen
Information System during the crossing of external borders by individuals enjoying the right to free
movement. At the same time, technical solutions should be developed so that there is no impact on
passenger waiting times at passport controls.
The recommendations of the SIS/Sirene Working Party of December 2014 (doc 14523/3/14 Rev 3)
should be implemented as a matter of priority and urgency.
The Commission could support, as appropriate, Member States' initiatives to establish appropriate
technological and procedural requirements to reinforce systematic controls of the validity of travel
documents against the relevant databases such as Interpol's SLTD as well as the document section
of the SIS. Member States should establish such solutions as a matter of priority.
Common criteria to enter foreign fighters information into the SIS II should be developed.
3. Information sharing
Member States should implement all measures that may be helpful with respect to the sharing of
information on the different forms of the threat, notably foreign terrorist fighters, on knowledge of
their movements, and the support they receive, wherever they are, with a view to improving the
effectiveness of the fight against these phenomena. To that end, Member States should use fully the
resources of Europol, Eurojust and Interpol, as well as consider other measures.
The UK should be admitted to the SIS II as soon as the legal, technical and procedural requirements
are completed.
a) PNR
There is a crucial and urgent need to move toward a European Passenger Name Record (PNR)
framework, including intra-EU PNR. The Council is prepared to move forward, adopting a
constructive approach with the European Parliament without however jeopardizing the effectiveness
of the system. Member States and EU institutions are committed to engage MEPs as a matter of
b) Europol
The amount of information transmitted to Europol doesn't match the threat. Political will is needed
to increase the use of Europol - the biggest shortcoming has been the lack of information provided
by national CT authorities3
Member States should contribute to the maximum extent to the Europol Focal Point Travellers. The
situation that so far four Member States contribute 80 % of the data is not yet sufficient. and
participate in the working groups related to foreign fighters set up by Europol, which might need to
intensify their work.
Adopting some measures similar to those employed in the EU Policy Cycle against Serious and
Organised Crime, such as assigning driver roles to lead Member States, multilateral strategic and
operational planning and dedicated Commission funding, could add impact to EU CT work.
The creation of a European Counter-terrorism Centre at Europol, like the European Cybercrime
Centre (EC3), would allow Europol to translate existing capabilities into operational impact
quickly. The EU Counter-terrorism Centre could focus on five main pillars of work:
(1) Focus on Foreign Fighters, with complementary levels of intelligence sharing (SIS II, EIS, Focal
Point Travellers) and synergies with EU PNR;

While the overall number of cases supported by Europol increased by 52 % from 2011 to
2014, the increase in CT cases was only 2 %.
In addition to better use of Focal Point Travellers, multinational ad-hoc working group Dumas and
the Network of CT contact points, Europol could establish a resident CT task force drawn from the
appropriate national agencies and hosted by Europol. This would follow the successful model of JCAT
in the cybercrime sphere. The CT task force would identify suitable networks to be reviewed
jointly, starting with less sensitive cases in order to build confidence. It would act as a fusion centre
for law enforcement and intelligence service data and would allow CT practitioners to interact with
their CT peers without the many interfaces which usually separate them from Europol at national
As the repository for more detailed intelligence in prioritised operations, Focal Point Travellers
should be seen as part of a three-tier intelligence sharing strategy, along with the Europol
Information System (EIS) and the Schengen Information System (SIS II). The EIS should be
used by investigators to share basic information about all suspected foreign fighters. It already has
the capability to store data on terrorists, but less than 2 % of current records are terrorism related.
Only minimal details need to be shared as a basis for follow-up inquiries, handling codes and
"hidden hits" can be used to restrict access (same model already successfully used in organized
In order to extract maximum value of an EU PNR, the national Passenger Information Units (PIUs)
should use SIENA for their cross-border communications, and should systematically cross-check
their PNR data against Europol's databases. Europol should work with PIUs to establish common
European methods for trend and travel pattern analysis, suspect identification etc. A central PIU
located at Europol could be established to work alongside those at the national level.
(2) Unique financial intelligence capabilities (EU-US TFTP, integration);
Investigative leads of EU-US Terrorist Financing Tracking Programme are cross-checked with
Europol's main CT database. Over 60 leads have already been provided following the Paris attacks.
As well as bringing the European FIU and CT communities into closer proximity, the
(European network of Financial Intelligence Units) integration into Europol will also give Europol
the opportunity to use ma3tch techniques currently used by for counter-terrorism
purposes. This would allow the identification of ‘need-to-know’ information in real time without
information being transmitted to Europol. This could be a key factor in convincing reluctant CT
units to make use of Europol channels. DS 1035/15 GdK/lwp 9
(3) Support services to tackle firearms, explosives and CBRN threats
(4) Cyber capabilities to identify online terrorist activity and help to prevent acts of cyber-terrorism
Europol and MS should commit multidisciplinary resources to identifying, disrupting and
prosecuting terrorist activity online.
(5) Improved strategic intelligence (improving the TESAT, providing advice to Member States on
national terrorist threat levels and strengthening ties with INTCEN).
There is a threat posed to the security of our citizens from those who travel within the EU, and into
the EU, with criminal records indicating a violent or terrorism-related past. We have in place a
system, ECRIS, to ensure that each Member States holds a central record of its own nationals’
criminal history (wherever offences were committed within the EU) which can be shared with other
Member States when those individuals come to the attention of their law enforcement authorities.
However, the scope of ECRIS is limited. The problem is that the existing system for exchange of
criminal records at EU level (ECRIS) is reactive, case-by-case, in practice limited to EU citizens (it
does not work well with regard to third country nationals as it is not clear which Member State
should be requested for these criminal records) and limited primarily for specific criminal
investigations. We should explore how we can provide for a more systematic and proactive
exchange of such data within the EU, in particular on terrorist related convictions. This
would help to strengthen our ability to protect the public including against the insider threat. This
may involve strengthening the ECRIS framework, a greater role for Europol or other approaches.
The Commission could be invited to present proposals. There is already work underway to be able
to capture and share data on non-EU nationals who are convicted in the EU, which should now be
d) Data retention
The Commission could be invited to present as soon as possible a new legislative proposal for data
e) API data
The existing API directive should be implemented fully and used to the maximum extent. The
Commission could be invited to make suggestions in this regard. DS 1035/15 GdK/lwp 10
f) Encryption/interception
Since the Snowden revelations, internet and telecommunications companies have started to use
often de-centralized encryption which increasingly makes lawful interception by the relevant
national authorities technically difficult or even impossible. The Commission should be invited to
explore rules obliging internet and telecommunications companies operating in the EU to provide
under certain conditions as set out in the relevant national laws and in full compliance with
fundamental rights access of the relevant national authorities to communications (i.e. share
encryption keys).
g) European Terrorist Financing Tracking System (TFTS)
It should be explored whether to relaunch the discussion started under the previous Commission on
the feasibility of a European TFTS.
4. Judicial response
There is a need to step up international judicial cooperation in terrorism cases, in particular cases of
foreign fighters.
a) Judicial information sharing
Member States should be encouraged to make optimal use of the possibilities for exchange of
information on prosecutions and convictions with Eurojust, as set out in Council Decision
2005/671/JHA of 20 September 2005 on the exchange of information and cooperation concerning
terrorist offences.
Member States should be also encouraged to increase the exchange of information with Eurojust, in
accordance with Article 13 of the Eurojust Decision, in cases of trafficking in firearms and
The use of the Eurojust national coordination system should be enhanced to facilitate the carrying
out of the tasks of Eurojust. The well-functioning network of national correspondents for Eurojust
for terrorism matters should continue to be fully used to foster the exchange of judicial information
and best practices in terrorism cases.
b) Strategic aspects
Coordination at EU level in addressing the legal challenges in the gathering and admissibility of
e-evidence in terrorism cases would be beneficial. Such challenges were discussed at the Eurojust
Strategic Meeting on Cybercrime in November 2014, where the need for a cybercrime judicial
network supported by Eurojust was strongly advocated. The possibility of creating a platform of
cyberterrorism prosecutors inside this cybercrime judicial network could also be explored. Eurojust
could be invited to further facilitate systematic exchanges of experience by national judicial
authorities and collection of good practices with regard to the gathering and admissibility of
evidence, in particular internet related, as well as investigation and adjudication of foreign fighters
Eurojust should continue to analyse relevant case law on terrorism in its Terrorism Convictions
Monitor (TCM) to further consolidate a common understanding of terrorist phenomena and identify
reoccurring legal challenges and best practice.
Where appropriate, Member States should be encouraged to use Eurojust’s assistance in terrorism
cases involving third States and share relevant experience and best practice during tactical and
strategic meetings.
c) Operational aspects
Member States should make maximum use of Eurojust tools, in particular its coordination
meetings and coordination centres. Member States should explore the setting up of Joint
Investigation Teams in terrorism cases with the assistance of Eurojust, including legal advice,
as well as financial support. Member States should be encouraged to refer to Eurojust European
Arrest Warrants concerning terrorist offences to ensure their proper and timely execution. In the
future, Member States should also make use of Eurojust’s assistance in the execution of European
Investigation Orders.
d) Rehabilitation programs in the judicial context should be developed as a priority.
e) Implementation of UN Security Council Resolution 2178
The Commission could be asked to present a legislative proposal to update the Council Framework
Decision on Combating Terrorism to collectively implement UNSCR 2178.
The Commission could also be asked to establish an overview of implementation of UNSCR 2178
by EU Member States, which is relevant also in the context of the US Visa Waiver Programme.
5. Firearms
The EU has a comprehensive set of measures in place and fighting illicit firearms trafficking is one
of the EU's crime priorities for the 2014-2017 period, as decided by the Council. However, only 13
Member States are participating in the Operational Action Plan firearms adopted by COSI.
Therefore, increased participation by Member States and acceleration of the implementation of the
various measures should be a priority notably to improve information sharing among Member
States and with Europol and to increase the number of join firearms operations across Europe.
These operations should also target firearms trafficking on the internet and the Darknet.
Europol could be invited to present state of play on the use by Member States of Europol's firearms
database at the informal meeting of JHA ministers, in particular contribution of information, and its
activities in this context, to better identify and dismantle trafficking networks.
The Commission could be invited to make proposals to improve information exchange mechanisms
and the collection and destruction of prohibited weapons.
The rules across Europe for the de-militarization of firearms are not harmonized, which means
that in some Member States it is easier to re-activate de-militarized weapons. The Commission
could be invited to examine possibilities for harmonization.
The traceability of firearms only lasts 20 years. It should be explored to make this indefinite.
The Commission could also be invited to make suggestions to better address the trade of firearms
via internet.
More information on terrorist acquisition of firearms needs to be shared with Europol. Synergies
between CT and organized crime work must be sought.
6. Information sharing about measures at national level
a) National measures
Member States are invited to share unclassified measures they have adopted or are planning to
adopt at the national level by sending contributions in writing to the General Secretariat of the
Council so that an inventory can be established and shared with all Member States. The COSI
meeting on 20 January is aimed at determining the measures to be taken by the EU and not at
analyzing measures taken or contemplated by Member States at national level.
b) Threat level
In 2010, the Council had agreed a system of notification of change of alert levels through INTCEN,
which has never really functioned. Overall, as suggested by Spain, a discussion is desirable.
As suggested by the Spanish Minister of the Interior4
, it could be explored to harmonize the
designation of terrorist threat levels across Member States and to design a common mechanism
covering the EU with different levels of alert. In addition, the remit and purpose of TE-SAT could
be boosted to make it a viable threat assessment rather than a trend report. An even more ambitious
way forward would come with a closer alignment of the functions of Europol and INTCEN, to
make a genuine EU CT threat assessment centre with a dedicated task to inform threat levels in MS.
c) EU Integrated Political Crisis Response (IPCR)
In order to support communication efforts in relation to the current events, it is important for the EU
Member States and institutions to have an overview of messages released. In addition, sharing
information on communication monitoring (i.e. public/media/social media reaction to those
messages) may help crisis communication preparedness efforts. The EU Integrated Political Crisis
Response (IPCR) web platform is readily available and includes features built for that purpose,
such as the opening of a dedicated page for "monitoring on-going complex situations". Such a page
acts as an information-exchange forum and a repository where all communication-related data may
be easily found. Such an initiative may also rely on the recently established IPCR communication
correspondents network.
This informal network is constituted of crisis communication officials from the Member States and
institutions who act as points of contact and reference for crisis communication issues. A dedicated
section of the IPCR Web Platform has been also set-up to allow crisis communication specialists to
interact for preparedness purposes.
7. Internal/external link: Projecting JHA tools externally
Concrete proposals will be developed after the meeting of the FAC on 19 January 2015.
Member States should use Interpol to a maximum extent (diffusion system) to share information
with third countries. In order to maximise the use of these databases, experts should study and
deliver methods to harmonise the national practices for inserting national information on foreign
fighters in such a way that they are better exploitable by relevant third countries but also limited in
their distribution to the concerned partners.
by Graze
Thu Dec 04, 2014 5:19 pm
Forum: cryptostorm reborn: voodoo networking, stormtokens, PostVPN exotic netsecurity
Topic: how to use it, discussion, etc.
Replies: 20
Views: 50498

project logos - "thanks for trying" pile

These project logo ideas were submitted, but are unlikely to end up with any official status,

Always an adventure, around here.
by Graze
Thu Nov 27, 2014 5:30 am
Forum: general chat, suggestions, industry news
Replies: 17
Views: 32810


Actually good to see stuff getting flushed out - helps everyone be better, as both PJ and Mullvad mentioned up above. Good works, all!

*runs to store for more popcorn* :)
by Graze
Wed Nov 12, 2014 5:53 am
Forum: general chat, suggestions, industry news
Topic: The #cryptowtf caption contests
Replies: 2
Views: 15126

The #cryptowtf caption contests

{direct link:}

Sometimes in the evening hours, certain un-named cryptostormers will take to our twitter feed (@cryptostorm_is) and raise a bit of havoc. All done in the make of good-natured fun, and certainly not anything mean or mean-spiritied. But yes... rather a little bit eccentric sometimes.

Folks who follow the feed already know this. :-)

One of the things that's been happening lately over there is a photo caption contest that's hashtagged #cryptowtf. Some of the images that get submitted are really, really funny. Some are a bit "edge-y," and some are outright lewd. So it goes...

Anyway I'm putting a few of them here, not in any order at all and not attributed (because that seems like alot of work; maybe there's some auto-feed thing that'll pipe them into the forum, or something?). But at least they're here. Maybe we'll keep collecting them in this thread, so they don't get lost in the scroll-downs of twitters past.
by Graze
Sun Oct 26, 2014 3:33 pm
Forum: independent cryptostorm token resellers, & tokens 101
Topic: New Reseller in town :-D ||
Replies: 11
Views: 37569

Re: New Reseller in town :-D

Also, we expect "selfies" to be posted by all the resellers... just like df promised to do (for a good cause) this weekend. His teaser shot went viral on twitter! :clap:
Borat-2.jpg (9.78 KiB) Viewed 36983 times
by Graze
Wed Oct 01, 2014 3:25 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: CLOSED: aleph tokens ~ unlimited duration batch
Replies: 33
Views: 57903

Re: aleph tokens batch closed

At this point the batch is pretty well spoken for. A few folks are still completing purchases via this or that nonconventional payment procedures; beyond that, the tranche is now officially... closed! :!:

(we've had a few folks contact us to be in queue if one of these final alephs from the batch comes available again: we can't make any promises, obviously, but if you drop a note to we'll grab from that queue if one comes open - there might also be a couple that were minted for staff use but are not needed due to duplication... so it's likely the queue will get knocked down by at least a few alephs that come open this week or next)

Already we've been asked what the procedure is for recovering lost alephs. That is, someone who has purchased one loses it for one reason or another, and comes to us to have it re-issued (basically just providing them the token again - not making a new one). This is awkward. We don't keep purchase records, by definition, so there's no way for us to validate if someone comes to us and claims to be the owner of a particular aleph. Given the small batches issued, we can - sometimes - come up with a good "challenge question" to validate someone is who they say they are... but that's totally nonstandard and open to all sorts of corner-state hiccups.

Which is to say: please don't lose your aleph! Don't count on us being able to 'recover' it for you, because we work hard not to be able to do that, so you're going against the grain big-time in doing so! We won't be churlish about it if disaster strikes and your aleph goes awol... but understand that we can't guarantee it's going to be possible and, frankly, we'll be happier if we can't do it than if we can. So fair warning, eh?

I'm going to suggest we wind down this thread and pull it from global announcements, since it's mostly run it's course... although it'll stay technically open in case there's follow-on questions.

Finally, we've been asked by lots of folks whether there will be more alephs in the future. The answer, as best I can summarise team thoughts on the subject, is: maybe, but most likely not. We're worried we under-priced these tranches - which is no crisis as we were happy to get them into the hands of folks who will get much value from them over the years. Still, in formal economic terms they're tough to settle on the balance sheet and we'd likely err on the side of upped pricing in the future. What would those prices be? I really don't have a sense from the team, at this point. Perhaps one more ^2 up from 2^8 is my hunch, fwiw.

On a personal note, thanks for the understanding as these got issued out - along with email addresses - in what was unquestionably a manual & ad-hoc process. We never intended to make alephs a big-volume offer, and thus never smoothed the rough edges of the issuance process. We were pretty sure that our members would understand how it goes, and so they did. Thanks for that. :thumbup:
by Graze
Sat Aug 02, 2014 1:19 am
Forum: crypto, VPN & security news
Topic: [TW] 11 reasons encryption is (almost) dead
Replies: 1
Views: 8005

Re: [TW] 11 reasons encryption is (almost) dead

Full text of article, just because it sometimes gets lost on the interwebs...

11 reasons encryption is (almost) dead

Massive leaps in computing power, hidden layers, hardware backdoors -- encrypting sensitive data from prying eyes is more precarious than ever

By Peter Wayner | InfoWorld | Published: 10:03, 05 May 2014

Article comments
Everyone who has studied mathematics at the movie theater knows that encryption is pretty boss. Practically every spy in every spy movie looks at an encrypted file with fear and dread. Armies of ninjas can be fought. Bombs can be defused. Missiles can be diverted. But an encrypted file can only be cracked open with the proper key -- and that key is always in the hands of a dangerously attractive agent hidden in a sumptuous hideout on the other side of the world. (Never in Newark or New Haven -- who wants to film there?)

Alas, this theorem of encryption security may be accepted as proven by math geniuses at Hollywood U., but reality is a bit murkier. Encryption isn't always perfect, and even when the core algorithms are truly solid, many other links in the chain can go kablooie. There are hundreds of steps and millions of lines of code protecting our secrets. If any one of them fails, the data can be as easy to read as the face of a five-year-old playing Go Fish.

Encryption is under assault more than ever -- and from more directions than previously thought. This doesn't mean you should forgo securing sensitive data, but forewarned is forearmed. It's impossible to secure the entire stack and chain. Here are 11 reasons encryption is no longer all it's cracked up to be.

Encryption's weak link No. 1: No proofs -- just an algorithm arms raceThe math at the heart of encryption looks impressive, with lots of superscripts and subscripts, but it doesn't come with any hard and fast proofs. One of the most famous algorithms, RSA, is said to be secure -- as long as it's hard to factor large numbers. That sounds impressive, but it simply shifts the responsibility. Is it truly that hard to factor large numbers? Well, there's no proof that it's hard, but no one knows how to do it right all of the time. If someone figures out a fast algorithm, RSA could be cracked open like an egg, but that hasn't happened yet ... we think.

Encryption's weak link No. 2: Disclosure is the only means of detecting a crackSuppose you figured out how to factor large numbers and crack RSA encryption. Would you tell the world? Perhaps. It would certainly make you famous. You might get appointed a professor at a fancy college. You might even land a cameo on "The Big Bang Theory."

But the encryption-cracking business can be shady. It isn't hard to imagine that it attracts a higher share of individuals or organizations that might want to keep their newfound power secret and use it to make money or extract valuable information.

Many of our assumptions about the security of cryptography are based on the belief that people will share all of their knowledge of vulnerabilities -- but there is no guarantee anyone will do this. The spy agencies, for instance, routinely keep their knowledge to themselves. And rumors circulate about an amazing cryptographic breakthrough in 2010 that's still classified. Why should the rest of us act any differently?

Encryption's weak link No. 3: The chain is long and never perfectThere are a number of excellent mathematical proofs about the security of this system or that system. They offer plenty of insight about one particular facet, but they say little about the entire chain. People like to use phrases like "perfect forward security" to describe a mechanism that changes the keys frequently enough to prevent leaks from spreading. But for all of its perfection, the proof covers only one part of the chain. A failure in the algorithm or a glitch in the software can circumvent all this perfection. It takes plenty of education to keep this straight.

Encryption's weak link No. 4: Cloud computing power is cheap and massiveSome descriptions of algorithms like to make claims that it would take "millions of hours" to try all the possible passwords. That sounds like an incredibly long time until you realize that Amazon alone may have half a million computers for rent by the hour. Some botnets may have more than a million nodes. Big numbers aren't so impressive these days.

Encryption's weak link No. 5: Video cards bring easy parallelism to crackingThe same hardware that can chew through millions of triangles can also try millions of passwords even faster. GPUs are incredible parallel computers, and they're cheaper than ever. If you need to rent a rack, Amazon rents them too by the hour too.

Encryption's weak link No. 6: Hypervisors -- the scourge of the hypervigilantYou've downloaded the most secure distro, you've applied all the updates, you've cleaned out all the cruft, and you've turned off all the weird background processes. Congratulations, you're getting closer to having a secure server. But let's say you're still obsessed and you audit every single last line of code yourself. To be extra careful, you even audit the code of the compiler to make sure it isn't slipping in a backdoor.

It would be an impressive stunt, but it wouldn't matter much. Once you have your superclean, completely audited pile of code running in a cloud, the hypervisor in the background could do anything it wanted to your code or your memory -- so could the BIOS. Oh well.

Encryption's weak link No. 7: Hidden layers aboundThe hypervisor and the BIOS are only a few of the most obvious layers hidden away. Practically every device has firmware -- which can be remarkably porous. It's rarely touched by outsiders, so it's rarely hardened.

One research "hardware backdoor" called Rakshasa can infect the BIOS and sneak into the firmware of PCI-based network cards and CD drivers. Even if your encryption is solid and your OS is uninfected, your network card could be betraying you. Your network card can think for itself! It will be a bit harder for the network card to reach into the main memory, but stranger things have happened.

These hidden layers are in every machine, usually out of sight and long forgotten. But they can do amazing things with their access.

Encryption's weak link No. 8: Backdoors aplentySometimes programmers make mistakes. They forget to check the size of an input, or they skip clearing the memory before releasing it. It could be anything. Eventually, someone finds the hole and starts exploiting it.

Some of the most forward-thinking companies release a steady stream of fixes that never seems to end, and they should be commended. But the relentless surge of security patches suggests there won't be an end anytime soon. By the time you've finished reading this, there are probably two new patches for you to install.

Any of these holes could compromise your encryption. It could patch the file and turn the algorithm into mush. Or it could leak the key through some other path. There's no end to the malice that can be caused by a backdoor.

Encryption's weak link No. 9: Bad random-number generatorsMost of the hype around encryption focuses on the strength of the encryption algorithm, but this usually blips over the fact that the key-selection algorithm is just as important. Your encryption can be superstrong, but if the eavesdropper can guess the key, it won't matter.

This is important because many encryption routines need a trustworthy source of random numbers to help pick the key. Some attackers will simply substitute their own random-number generator and use it to undermine the key choice. The algorithm remains strong, but the keys are easy to guess by anyone who knows the way the random-number generator was compromised.

Encryption's weak link No. 10: TyposOne of the beauties of open source software is that it can uncover bugs -- maybe not all of the time but some of the time.

Apple's iOS, for instance, had an extra line in its code: goto fail. Every time the code wanted to check a certificate to make sure it was accurate, the code would hit the goto statement and skip it all. Oops.

Was it a mistake? Was it put there on purpose? We'll never know. But it sure took a long time for the wonderful "many eyes" of the open source community to find it.

Encryption's weak link No. 11: Certificates can be fakedLet's say you go to with an encrypted email connection, and to be extra careful, you click through to check out the certificate. After a bit of scrutiny, you discover it says it was issued by the certificate authority Alpha to and it's all legit. You're clear, right?

Wrong. What if got its real SSL certificate from a different certificate authority -- say, Beta. The certificate from Alpha may also be real, but Alpha just made a certificate for and gave it to the eavesdropper to make the connection easier to bug. Man-in-the-middle attacks are easier if the man in the middle can lie about his identity. There are hundreds of certificate authorities, and any one of them can issue certs for SSL.

This isn't a hypothetical worry. There are hundreds of certificate authorities around the world, and some are under the control of the local governments. Will they just create any old certificate for someone? Why don't you ask them?
by Graze
Wed Jul 23, 2014 4:37 am
Forum: cryptostorm reborn: voodoo networking, stormtokens, PostVPN exotic netsecurity
Topic: [Reuters] Talk on cracking Tor cancelled
Replies: 0
Views: 19729

[Reuters] Talk on cracking Tor cancelled ... QB20140721

Talk on cracking Internet anonymity service Tor canceled

SAN FRANCISCO Mon Jul 21, 2014 6:21pm EDT

(Reuters) - A highly anticipated talk on how to identify users of the Internet privacy service Tor was withdrawn from the upcoming Black Hat security conference, a spokeswoman for the event said on Monday.

The talk was canceled at the request of attorneys for Carnegie Mellon University in Pittsburgh, where the speakers work as researchers, the spokeswoman, Meredith Corley, told Reuters.

Tor is a double-edged sword that has given dissidents living under repressive regimes a way of communicating safely. But it also has enabled criminals to take advantage of its cloak of anonymity.

The Black Hat conference, one of the longest-running and best-attended security trade shows in the world, is scheduled for Las Vegas August 6-7.

Corley said a Carnegie Mellon attorney informed Black Hat that one of the speakers could not give the Tor talk because the materials he would discuss have not been approved for public release by the university or the Software Engineering Institute (SEI).

It was unclear what aspects of the research concerned the university.

The institute, based at the university, is funded by the Defense Department. SEI also runs CERT, historically known as the Computer Emergency Response Team, which works with the Department of Homeland Security on major cybersecurity issues.

Spokesmen for Carnegie Mellon and the Defense Department did not comment on the cancellation. One official said DHS had played no role in pulling the talk.

Its abstract, titled “You don’t have to be the NSA to Break Tor: De-Anonymizing Users on a Budget,” had attracted attention within the security and privacy communities. The abstract had been published on Black Hat's website but has since been removed.

The U.S. government funded the creation and much of the operation of Tor as a communications tool for dissidents in repressive countries. But Tor has frustrated the U.S. National Security Agency for years, according to documents released by former agency contractor Edward Snowden.

That revelation has helped increase adoption by those seeking privacy for political reasons, as well as criminals, researchers say.

Some criminal suspects on Tor have been unmasked by the U.S. Federal Bureau of Investigation and other law enforcement or intelligence agencies using a variety of techniques, including tampering with software often used alongside Tor.

In their now-vanished Black Hat abstract, researchers Alexander Volynkin and Michael McCord, said "a determined adversary" could “de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months,” all for less than $3,000. Neither man responded to a request for comment.

Their summary said they had tested their techniques and that they would discuss dozens of successes, including cases where suspected child pornographers and drug dealers had been found.

In the best-known Tor case, U.S. authorities in October shut down online drug bazaar Silk Road, a so-called hidden service reachable only via Tor.

Tor Project President Roger Dingledine, lead developer of the software, told an online mailing list that the project had not requested the talk be canceled.

Dingledine said the nonprofit group was working with CERT to coordinate disclosure of details on the researchers' attack on the network.

He also said he had questions "about some aspects of the research." In years past, other researchers studying Tor traffic have been criticized for intruding on users' privacy.

This would not be the first time a talk has been canceled at Black Hat. Presentations have been pulled from it and other conferences under pressure from software makers or for other reasons.

(Reporting by Joseph Menn; Additional reporting by Jim Finkle; Editing by Chris Reese, Jonathan Oatis and Dan Grebler)
by Graze
Mon Jul 21, 2014 5:27 am
Forum: member support & tech assistance
Topic: RESOLVED? | Unstable connection in Iceland or am I doing ...
Replies: 73
Views: 71461

Re: RESOLVED? | Unstable connection in Iceland or am I doing

OK, so parityboy and fermi worked with us tonight on this issue via IRC. We think we have a fix, but again (and ya, this is a different fix) I need confirmation: Are you folks getting better connections now? What I mean is that some people were experiencing regular disconnections every twenty minutes or so - I am hoping that those are no longer happening.

Thanks again so much to parityboy, fermi, tls, and all the others who were working with us in chat on this issue!
by Graze
Sun Jul 20, 2014 2:58 am
Forum: member support & tech assistance
Topic: RESOLVED? | Unstable connection in Iceland or am I doing ...
Replies: 73
Views: 71461

Re: Unstable connection in Iceland or am I doing something w

Should be better now(?)

DF made some server mods, and we think that may have helped.

Any confirmation from you guys??

by Graze
Fri Jul 18, 2014 6:41 am
Forum: member support & tech assistance
Topic: New auth error discovered
Replies: 16
Views: 16231

Re: New auth error discovered

This is a new bug thanks to some reference-count checking code we have recently activated. Basically, as a workaround, know that it will time out, and it will allow a re-connect after a number of seconds. I suspect it's on the order of 10-30. However, that's not really acceptable, so we may tweak the code to be more forgiving of network drop-outs.

by Graze
Fri Jul 18, 2014 6:15 am
Forum: member support & tech assistance
Topic: RESOLVED? | Unstable connection in Iceland or am I doing ...
Replies: 73
Views: 71461

Re: Unstable connection in Iceland or am I doing something w

We are still looking into it - it's what one might call "a bit of a puzzler" in that it was stable before and seems to no longer be, despite nothing of substance changing server side - we've had lots of discussion on it, which led to this little bit of sunshine which basically says, "it's better to drop the connection, than to connect insecurely."

Obviously our goal is to actually connect both solidly AND securely. We continue to look into it.
by Graze
Thu Jul 17, 2014 4:57 am
Forum: member support & tech assistance
Topic: RESOLVED? | Unstable connection in Iceland or am I doing ...
Replies: 73
Views: 71461

Re: Unstable connection in Iceland or am I doing something w

Quark5 wrote:@cryptostorm_ops

I have the same problems as the others. It has been for some days but i am using Windows 7 64 bit.
Oh, just caught up to see this Win7 in there. Hmmm. Maybe it's not Linux related. Are you using our widget or OpenVPN directly? If it's OpenVPN can you send us your conf file as well, please?

Thank you!
by Graze
Thu Jul 17, 2014 4:54 am
Forum: member support & tech assistance
Topic: RESOLVED? | Unstable connection in Iceland or am I doing ...
Replies: 73
Views: 71461

Re: Unstable connection in Iceland or am I doing something w

OK, we've seen enough of these complaints that we have to assume that we're missing something. We've noticed that a lot/most of the issues are via Linux, thus we're wondering if some of you with intermittent issues can email your .conf files to so we can see if there's some setting that's causing issues.

Thanks, and apologies for the issues!
by Graze
Thu Jul 17, 2014 4:30 am
Forum: member support & tech assistance
Topic: pre-1.21 widget feedback (mostly closed, now...)
Replies: 21
Views: 21417

Re: widget v1.10 official release

Rider wrote:
parityboy wrote:@Rider

Agreed. :D I will say though that while I'm not sure what the teams plans are, CS' potential as a darknet hasn't even been scratched at yet. :D I'm more than happy to support this project (which is why I do :D).
I agree and I was just reading this article - ... on-140315/

We as a community need to promote CS/darknet. Only thing which I have been saying for years, is that CS needs to plan things ahead of time and market it better and better support system.
I think it's fair to say that this last year has been a bit of a trial run. We have asked ourselves, "can we do it right?" and we did so with little attention to making money - frankly, we did it mostly as a "fuck you" to some government surveillance after doing a fair bit of research and putting lots of our own time and money in. I also think that we didn't want to do that thing you often see other companies do, where they grow huge and then realize they designed things wrong - we purposefully dragged beta out a long time to be sure that things were solid, we spent something like five months doing nothing but tweaking network configurations, proving that OpenVPN - when configured properly - can perform almost at the same speed as non-encrypted traffic. We did twenty other little things similarly... The point is, I think we're now almost at the point where we feel confident in what was built. We've been below the radar, we built a great product (and largely thanks to early clients like yourselves who tell us what's working and what isn't) and it's almost time to turn it on for the rest of the people out there.

Over the next couple months, we'll likely do a bit of a re-do of the website to make it more n00b friendly, and we'll start to see how we can inform those who are less technical that this is a better way to do security - far better than many of those people on the many "Top VPN companies of 20xx!" lists - not that I'm biased. :P

Thanks again for your support!
by Graze
Wed Jul 09, 2014 4:53 pm
Forum: general chat, suggestions, industry news
Topic: XKEYSCORE source code
Replies: 8
Views: 16777

Validating XKeyScore code

More info this AM...

via ... -code.html

Validating XKeyScore code

The burning questions about the XKeyScore “source code” is whether it’s real, and whether it come from Snowden. The Grugq (@thegrugq) has some smart insight into this, and I have my own expertise with deep-packet-inspection code. I thought I’d write up our expert analysis to the questions.

TL;DR: we believe the code partly fake and that it came from the Snowden treasure trove.

A slightly longer summary is:
The signatures are old (2011 to 2012), so it fits within the Snowden timeframe, and is unlikely to be a recent leak.
The code is weird, as if they are snippets combined from training manuals rather than operational code. That would mean it is “fake”.
The story makes claims about the source that are verifiably false, leading us to believe that they may have falsified the origin of this source code.
The code is so domain specific that it probably is, in some fashion, related to real XKeyScore code – if fake, it's not completely so.


As this post to the Tor developer mailing list describes, the signatures in the code are old. The earliest date this file can be valid is 2011-08-08, when the Linux journal reported on TAILS. The latest date might be 2012-09-21, just before a new server was added to Tor that isn't in the XKeyScore list. Since this is shortly before Snowden first tried to contact Greenwald, the dates sync up.

Likewise, the bridges info is over a year out of date, again pointing an old leak in the Snowden timeframe rather than a new leak.

As many have commented, it looks like disjoint snippets pulled from many files. The code references variables that are missing from this file. Many (like myself) assumed that these snippets were pulled from source files (text files ending in an extension like .xks). However, on Twitter today between myself, @0xabad1dea, and mostly @thegrugq, we came to the conclusion that they probably come from document files (.ppt, .pdf, .doc, etc.). This document files could be training manuals designed for analysts and engineers, PowerPoints designed to impress others in the intelligence community how advanced the system is, or a document explaining how the NSA was dealing with the Tor threat.

The filename xkeyscorerules100.txt is implausible. Source files do not end in ".txt" and the term "rules" is an odd choice.

In other words, instead of being real operational code running in the field, there is a good chance that this is just samples scattered around various documents within the Snowden trove. That would explain why Bruce Schneier, who has seen Snowden docs, believes there is a second leaker because he doesn't remember seeing this source.

That would also explain the comments, like those mentioning how extremists use TAILS. These comments are unlikely to appear that way in real source files. However, they are precisely the sort of comments you'd expect in a training manual describing how to write XKeyScore fingerprints.

This would also explain why two different regexes in the file use two different techniques for capturing port numbers, and why two different snippets of C++ code use two different techniques for inserting data into a database.

As a deep-packet-inspection (DPI) expert, I can confirm that this code is too "real" to be completely fake. It could be fake in the sense that it's training manual code or prototype, but it's definitely related to XKeyScore somehow. If it's completely fake, then only another expert in DPI could've faked it. I just don't think a non-expert is smart enough to fake it this completely.

The original press story makes willful misrepresentations, such as claiming those servers are under surveillance. This isn't true, it's unlikely the NSA has a fulltake sensor monitoring all traffic in/out of the servers. Instead, it has fulltake sensors elsewhere in the world (like Iraq) that captures all sessions, and this code simply annotates/indexes which sessions below to those servers.

Another misrepresentation in the story is that the source calls the Linux Journal an extremist forum. That's not true.

A comment does say that TAILS is "a comsec mechanism advocated by extremists on extremist forums". This is true, as the picture (from the Grugq) demonstrates on the right: it's a picture from an ISIS/jihaid forum advocating the use of TAILS. But nowhere does it claim that the Linux Journal is one of those extremists -- that's something willfully made up by the authors of the story.

That the story already misrepresents the meaning of this source code hints that it may already be misrepresenting the provenance.


We believe the file was faked in some fashion. The missing global variables are proof of this.

It could simply be that the snippets were pulled from legitimate source files, pulling together all the pieces that relate to Tor.

Or, it could be majorly faked, in that this isn't operational XKeyScore code at all, but just examples or exercises pulled from training manuals.

But, it's unlikely to be completely fake -- because to fake it to this level, you'd need actual prototype code that would serve XKeyScore needs in the first place.

The story makes misrepresentations about the source already, they may have made more about the validity of this code.

We therefore know at best, the source code has been altered in some fashion, and at worst that it's related to XKeyScore in some fashion, even if it's not operational source code.

The accusation that the journalists willfully misrepresented things is a strong one, so I've copied the text below. The original story starts with the following bullet point:
It also records details about visits to a popular internet journal for Linux operating system users called "the Linux Journal - the Original Magazine of the Linux Community", and calls it an "extremist forum".
The relevant source code says this (bold added by me)

These variables define terms and websites relating to the TAILs (The Amnesic
Incognito Live System) software program, a comsec mechanism advocated by
extremists on extremist forums.

$TAILS_terms=word('tails' or 'Amnesiac Incognito Live System') and word('linux'
or ' USB ' or ' CD ' or 'secure desktop' or ' IRC ' or 'truecrypt' or ' tor ');
$TAILS_websites=('') or ('*');

As you can see, the source is not calling the Linux Journal an extremist forum, the two aren't related.
by Graze
Sat Jul 05, 2014 5:12 am
Forum: general chat, suggestions, industry news
Topic: XKEYSCORE source code
Replies: 8
Views: 16777

Re: XKEYSCORE source code

OK, so lots of intersting stuff is out there lately... Some of our handlers have retweeted good shite from Matthew Green, the Grugq, etc. on the subject lately... For example: ... e.html?m=1 ... 07085.html

And this just because :)

by Graze
Fri Jul 04, 2014 7:03 am
Forum: member support & tech assistance
Topic: pre-1.21 widget feedback (mostly closed, now...)
Replies: 21
Views: 21417

Re: widget v1.0 official release

Guest wrote:This fragmentation is a big problem to be honest. We have way too less clients per node for a real good "mix em up". Some people would talk about correlation attacks but I don't think they are a real problem in practice because we it doesn't concern dragnet collection of our data.

Nontheless we should get up the amount of people per exit node significantly. I know there needs to be a windows and a linux (also works for android) instance but we need to merge the pre and post heartbleed users so everyone gets safer.
This weekend we are retiring a couple of the older servers (they were metered, so we need them out of the farm - they eat too much :) ) and that will reduce some of the pre-heartbleed. We will slowly kill off the pre-heartbleed clients over the next couple weeks, I think. Maybe sooner.

If you want to up people per node, we're all for that - tell people that we're cool :D

by Graze
Thu Jun 12, 2014 5:07 am
Forum: crypto, VPN & security news
Topic: [eWeek] OpenSSL Finds and Fixes 7 New Security Flaws
Replies: 3
Views: 9963

Re: [eWeek] OpenSSL Finds and Fixes 7 New Security Flaws

marzametal wrote:lmao @ forgot to restart some stuff... hahahahahahahaha ohhhh man hilarious!
LOL. Indeed. Very, embarrassingly oops. :D

On the bright side, not running something that's insecure is sometimes not a bad option - although sadly that's not what happened so I can't pretend it was a wise, deliberate decision or anything. ;)
by Graze
Thu Jun 12, 2014 5:00 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm exitnode clusters: listing+requests+roadmap
Replies: 89
Views: 125467

Re: cryptostorm exitnode clusters: listing+requests+roadmap

Brazil wrote: ...
IMO strategically Brazil and Malaysia as your next spots. If you're looking at getting buy-in to your nodes, Brazil has a huge alternative software community that's very concerned about privacy (see Twister, ZapZap, etc.)
I personally love the idea of a Brazil node. Just putting in my vote. :)
by Graze
Thu Jun 12, 2014 4:54 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm exitnode clusters: listing+requests+roadmap
Replies: 89
Views: 125467

Re: cryptostorm exitnode clusters: listing+requests+roadmap

asia wrote:good points.

i would appreciate a node in Japan and South Korea, just from the performance/latency point as both are "islands" (korea kind of is, due to north korea), with very high speed "domestic" inter(intra)-net, but really bad connectivity once you access servers outside the island.
using a HK vpn in South Korea for example, degrades the performance immensely. while torrent performance goes down flaking from 1.1 MB/s to 2.7 MB/s instead of the usual 5-6 MB/s, accessing websites - which range from sites behind stellar CDN's with a node at the same ISP, to other CDN's at least closer to the region, to sites without any CDN, hosted in europe, us, whatever - can take 5-10 seconds now. definitely hard to accept, not only for korean standards, but also compared to normal slowish european, american consumer grade internet connections.
voip or gaming is impossible due to 300 to 600ms latency or so.

I hear ya on Asia. It was to be our next exitnode, however, we've run into some disagreements with our Canadian provider so may spin up another Canada node for redundancy, as well as another US node just to cover immediate growth.

By the end of the month we should have an Asia server.

Now, as to where exactly in Asia, I love the discussion here. However, I would want our customers to always assume that people above our servers somewhere on the tree are watching what comes out of the tunnel, so even though we never log traffic, and our encryption rocks, the regime that a server is running in can watch or be bought/bribed into watching that traffic. So I guess I'm of the "we should assume that all that exiting traffic is being watched, thus ANY country can be an issue."

As with Canada, if we run into any issues with a node or provider, we'll just spin up another. If the laws of the country begin to work against us (Canada is probably going to legalize warrantless customer requests next month, pretending it has something to do with child protection when it's clearly overreaching into politics and activism) we'll just leave that country. Nodes are fairly quick to spin up these days. :)

EDITED TO ADD: What I mean about "we should assume that all that exiting traffic is being watched, thus ANY country can be an issue" is that .gov has tools that allow it to see your Google, Yahoo, Facebook cookies, etc. on the exiting side of the tunnel, thus if you log into Google, you may be dragging those cookies around with you, allowing the .gov to make an educated guess about your identity when mixed with other data.
by Graze
Thu Jun 12, 2014 4:44 am
Forum: member support & tech assistance
Topic: Tokens not dieing at end of month
Replies: 7
Views: 8333

Re: Tokens not dieing at end of month

Ya, we've got a known issue with the tokens replicating to the site which validates them. We may get to fixing today.

Apologies for the issue!
by Graze
Mon Jun 09, 2014 1:20 am
Forum: crypto, VPN & security news
Topic: [eWeek] OpenSSL Finds and Fixes 7 New Security Flaws
Replies: 3
Views: 9963

Re: [eWeek] OpenSSL Finds and Fixes 7 New Security Flaws

We are upgraded on all servers for this as of two nights ago (a source of a brief outage, too as we forgot to restart some stuff - apologies for that) also, we had issues with "chili" (the US node) and that too has just been cleared up.

Thanks for the updates, as always!
by Graze
Thu May 01, 2014 8:32 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm's Post-Heartbleed Certificate Upgrade Trajector
Replies: 79
Views: 191529

Re: cryptostorm's Post-Heartbleed Certificate Upgrade Trajec

Desu wrote: ...
You must really frustrate me on personal level to get me explode like this. But lately some shortcomings on here are really getting to me. I hate to say this publicly but you guys are obviously short on men big time. That's bad and I wish I could change it but I can't. But this doesn't stop me from getting very angry at you when you, all hardships aside, are falling short even though you work your asses off day and night.

It really sucks to be the best VPN out there, does it? People create major expectations and if you don't meet them: BOOM! Disappointment. "No good deed goes unpunished." they say. ;)
This is - obviously - a very valid point.

We're short of people - and what's worse is we've worked so hard to create a trust-based company that adding new people (when all of the best said crypto-foilhat people in this day and age are merely an n-character handle on the interwebs) is fairly difficult to vet: We want the best folks, but not the best folks who happen to also be working for some .gov ... so we revert back to the same overworked team of smart people who go off and attend a few conferences, write exams, or whatever... We're very aware of the problem, and we've got a few people in the hopper to take over the business side of things so that the tech people can get back to doing tech stuff instead of more or less failing at the biz stuff.

We do need a couple tech's, don't get me wrong: Besides the Windows client, which is almost complete, there's all the other tech stuff that a growing company needs to keep the engines fired. As a couple of people have noted, we need to shove in a real ticket system. And, mostly, we need a real biz guy so that people like me don't speak their mind and admit mistakes all over the forum. ;)

Anyway, I hear you, and I deeply apologize. We've got the core tech stuff humming, and it's pretty solid, in our defence. Ya, we've got to add some new instances again (as shown by that MTU problem you highlighted which is - I believe - likely the reason we have different MTU frames for different tech platforms (the windows-montreal vs the linux-montreal, etc.) which had caused issues in the past when starting up the android vpns, I believe. I suspect if you used that instance for Windows it will work fine.

We just need more humans and/or bots, and/or less sleep. :)

Thanks for complaining so that we get better (and as a non-corporate person who just wants a better world, I really mean this) , and hang in there: The wheels of corporate change are turning, slowly.
by Graze
Tue Apr 29, 2014 5:46 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm's Post-Heartbleed Certificate Upgrade Trajector
Replies: 79
Views: 191529

Re: cryptostorm's Post-Heartbleed Certificate Upgrade Trajec

marzametal wrote: ...
When I loaded up CS on Android for the first time, it defaulted to "User/Password +CA + Client Crt/Key"...
Thinking about this again, I had all 5 files copied over from my user directory on Windows to my phone, as per screenshot capture in Graze's initial HOW TO for Android HOW TO for Android - Step 0, but should be step 10.

I just read through the new one created by Tealc, which was linked on Graze's HOW TO via first post slot, and all Tealc mentions is to import the config file, nothing else... not sure if it was an assumption that the other files had to be there too (most likely have to since the config file calls them).

Would be good to pinpoint when it exactly swapped over from User/Password +CA to User/Password +CA + Client Crt/Key. I think I have been using a custom ROM for about a month now, and it defaulted to the full 3, so I have no clue when it swapped from a 2 auth combo to a 3 auth combo...
Note that the later versions of OpenVPN allow "inline certs" so you - in theory - don't need to have the cert files. HOWEVER, I believe the inline ones override - but I'm not sure. :-/
by Graze
Fri Apr 25, 2014 10:53 pm
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm's Post-Heartbleed Certificate Upgrade Trajector
Replies: 79
Views: 191529

Re: cryptostorm's Post-Heartbleed Certificate Upgrade Trajec

Here's some info for anyone who wants to be a beta tester:
There's an instance now on bruno that's using along with new certs. The client will have to use the new client certs I put up @ (the files there are named ca2.crt, clientgeneric2.crt, clientgeneric2.key). So for clients to be able to use that new instance ASAP, they'll have to mod their .conf to use those files instead of the old ca.crt & clientgeneric.crt/key. I just tested it and seems to work fine, even with the widget (once you manually grab the new certs and put them in \user and change the vpn to use the IP.)
by Graze
Fri Apr 25, 2014 10:17 pm
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm's Post-Heartbleed Certificate Upgrade Trajector
Replies: 79
Views: 191529

Re: cryptostorm's Post-Heartbleed Certificate Upgrade Trajec

After much discussion, we've heard you.

We're going to expedite this as best we can.

There are issues, obviously (we're going to have to prepare for an influx of support requests for those unaware, I suspect) but we'll try to get this done ASAP.

Apologies that we've put it off, but my understanding is that the intent was to make it a more painless experience for the users so we wanted a controlled and thoughtful rollout - there is a tension here between customer experience and security, and as you've pointed out, our reason for existence is more about the latter than the former.

We will keep you informed.

Thanks again, and again apologies for the delay.
by Graze
Fri Apr 25, 2014 8:19 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm's Post-Heartbleed Certificate Upgrade Trajector
Replies: 79
Views: 191529

Re: cryptostorm's Post-Heartbleed Certificate Upgrade Trajec

Guest wrote:
Elsewhere on this board there was a post or tweet? about a CS server, accepting a known expired token- how did that happen?
Sigh. I'm going to have to do a wee little rant over this in particular, as some devs (including myself) were just working on this issue (thx to the redbull girls for visiting, btw :) )...

We can speak to this little bit of "gee, look at how that flag is hanging, it sure looks like the whole lunar landing is staged!!!!111one" stuff here with the "accepting a known expired token = obviously the NSA is listening now": The exitnodes each work with independent databases filled with basically just SHA512's and start dates and a few other things. We made the databases so that they were not at all valuable if p0wned (not that we skimp on anti-p0wnage) as there is no cust data AT ALL on these exitnodes, etc. as we've mentioned often before and which is sort of an aside to all this stuff... But because of that, the exitnodes do NOT need to communicate in hyper-real-time with any magic central registry of users as most VPN companies do, thus they do NOT stay perfectly in sync as there are very few bits of data they really need from each other in real-time. One exception is the "when was this token started?"

In fact, up until a release planned for tomorrow, there is a bug in which the replication would "fall over" (that's a geek euphemism for "stop communicating") and thus they were kept in sync rather haphazardly with very non-reliable replication. This is why they were accepting a known expired token. There are just a bunch of really stupid and sometimes non-chatty functionally disposable exitnodes talking to no-one except you, the clients.

Please, don't stop questioning the security, but pah-lease do so with facts, and less with - what I'd have to respectfully now call serious stretching for "was it the same cat?". Throwing random speculation like this out just to panic people (unless you're working for HideMySass or whatever they're called and you're getting pissed off at how we're eating at your market share and all that, in which case - ya, I guess that's your job - panic away... ;) )

by Graze
Thu Apr 17, 2014 4:24 pm
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm's Post-Heartbleed Certificate Upgrade Trajector
Replies: 79
Views: 191529

Re: cryptostorm's Post-Heartbleed Certificate Upgrade Trajec

parityboy wrote: ...
Cryptostorm does NOT use persistent private keys, they are ephemeral. Since they don't hang around, collecting one is a pointless exercise, since you cannot use it to decrypt previous traffic. Accusing the CS team of lying, when they CLEARLY state in their post that they don't use persistent keys, is beyond ridiculous and should be apologised for.
The techs will respond again (I'm using email - which is the way they prefer to get thoughts out on "paper") but while I don't want an apology - frankly the internet isn't a place where I expect such :P - I really want you to think about what makes us a company, and what our motives would be.

We are differentiating ourselves by being MORE SECURE. That's what we want to do. We also are trying to be OPEN. So while we may suck at corporate communications (hell, I don't have a fucking clue what I'm doing from a business standpoint) we DO "give a shit."

We eat our own dog food, as they say. I need this VPN to work because my friends are trusting it, and they need it to work for various reasons. At this point we're making just enough money to pay server bills and maybe add a few more nodes. We have no fulltime staff. We're not here to become Facebook.

Also, we have techs who hate corp communication even more than I do, and who don't even know this forum exists, and that's fine, because they fucking rock at what they do, which is largely cryptography, networks and if statements.

So - ya, we're not here to screw anyone, we won't lie to cover our asses if we fuck up. Note that we will fuck up. That's a guarantee - but we'll not be lying about it, we'll be admitting it and trying to fix it.
by Graze
Tue Apr 15, 2014 6:00 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm's Post-Heartbleed Certificate Upgrade Trajector
Replies: 79
Views: 191529

Re: cryptostorm's Post-Heartbleed Certificate Upgrade Trajec

Malor wrote: ...
Now, admittedly, I may not be the target audience, but I'm fairly technical, and the loose way you phrase stuff has a minor feeling of bafflegab to it. I know you don't intend that at all, and perhaps it's because you yourself aren't one of the people on the ground actually configuring the servers. But there's a fair bit of, um, I guess I want to call it handwavy abstraction, which I have a hard time parsing to understand what's actually happening.
Just wanted to point out that I was likely the source of the bafflegab. I told them to try to hit a wide audience, so I think they dumbed it down for me. :P Sorry about that... but look at my avatar, I live in a freakin' garbage can, how smart could I be?? :P

by Graze
Mon Apr 14, 2014 5:51 pm
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: URGENT: The Heartbleed Bug
Replies: 34
Views: 61079

Re: URGENT: The Heartbleed Bug

I'm going to lock this topic, because our ops folks wrote a long reply here which should give better insight into the issues and our upgrade path. Feel free to add comments there.

Thanks again for your patience, and - as a certified foil hat - I want to say, don't panic. If the NSA had this for two years... ya, damage done, right? No reason not to fix it ASAP, but ... ya. Think about that, and all the targets they could be creating evil nodes for during that time.
by Graze
Mon Apr 14, 2014 8:20 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: URGENT: The Heartbleed Bug
Replies: 34
Views: 61079

Re: URGENT: The Heartbleed Bug

Just re-read the article, and I think I'm still right about the reboot thing:
Cloudflare said it rebooted the server about six hours into the challenge, and the company theorized that the reboot, “may have caused the key to be available in uninitiallized heap memory.”
Notably, when we did the post-mortem after the patch we had no reboots in that time frame. The patches did not require reboots of any of the servers.

Also, I got a note in IRC from one of the network folks who said he'd chime in in a bit about the cert thing.

Finally, and this goes for all who are reading:

Never hesitate in pointing stuff out. Ya, it may take a few hits over our heads here before the right person hears you, but it's always better to be loud than quiet with this stuff.

by Graze
Mon Apr 14, 2014 7:29 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: URGENT: The Heartbleed Bug
Replies: 34
Views: 61079

Re: URGENT: The Heartbleed Bug

Guest wrote: ...
But speaking of this cryptostorm_ops answer does not satisfy my concern one bit. Malor was nice enough to write exactly what I was thinking when I read cryptostorm_ops post. Our past traffic might be safe. Fine. But as long as you don't change your exit node certificates we are always in danger to be the subject of transparent man in the middle attacks.
OK, as I said, I'm not a network geek. I'll get one in here to answer, but my understanding was that DHE protected things.
Guest wrote: Also Graze is wrong about the time it takes to extract sensitive information. There are proven examples out there of people extracting the private key and certificate in less then 30 minutes. One took 1,3 Million attemps another only 100.000. I will post a source to those later if I find the article again. It was a 'contest' held by a cloud provider wanting to boast that their nginx servers are not subject to private key leaks.

So here is me getting rude again because my blood temperature rises slowly but steady until it might boils... Move your ass and get those exit node certificates changed NOW! I give a bloody shit about the forums and you are right to put it on low priority. The exit nodes however are the hearth of this vpn. Slack off here and you are no better then most other vpn that are willing to take chances on customer security.
Fair enough, again, apparently I'm missing something that's important to this whole thing, so I'll pass this on and ensure they at least read this - if they haven't already.
by Graze
Mon Apr 14, 2014 7:23 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: URGENT: The Heartbleed Bug
Replies: 34
Views: 61079

Re: URGENT: The Heartbleed Bug

Malor wrote:Private crypto keys are accessible to Heartbleed hackers, new data shows

This is extremely serious. You have to assume that the NSA now has copies of your server authentication keys, and they can MITM you for as long as those keys are valid. Whether or not they actually do, you must assume they do. And China and Russia and Iran could all have grabbed them too, of course. Being a VPN service, you are the highest of high-priority targets.
Yes, our forum can be MITMed. Yay. This post could actually be made by a Chinese hacker trying to subvert... this forum. Or to replace the pic of a doge with one of a kitteh. I'm not trying to be a jerk, but I guess I'm a bit frustrated at how hard it is to convince people that - with no central servers - and with no static keys - things are not as interconnected as you may think.

I think we need a new, simpler post to explain how hard we worked to make our VPNs not have a fucking thing to do with anything like this here site. All those exitnodes are using ephemeral keys, they have no central auth. They really don't like to talk to anyone.
by Graze
Mon Apr 14, 2014 7:17 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: URGENT: The Heartbleed Bug
Replies: 34
Views: 61079

Re: URGENT: The Heartbleed Bug

Malor wrote:...
I don't really care about the forum key, but I'm incredibly worried about the VPN keys. In this scary new world where governments are the declared enemies of their own citizens, there are literally people whose lives depend on that crypto.
Sigh. Again, there are no "VPN keys" as such as they are. See the Diffie Hellman Ephemeral note here...
by Graze
Mon Apr 14, 2014 7:12 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: URGENT: The Heartbleed Bug
Replies: 34
Views: 61079

Re: URGENT: The Heartbleed Bug

cryptostorm_support wrote:
Guest wrote:Dear Cryptostorm,

I think you are not giving this situation the right amount of attention it deserves. You don't know what the techies did?! WTF?! Get your shit together please! We are trusting and counting on you. There are even some peoples lives in your hands! Want them to become bloody by neglecting your duties?!
As for me, I am (as in, the person typing RIGHT NOW, at this exact instant) a support guy, not a Dev . I am therefor not on the frontlines of code so there are things I cannot speak on with some authority. I could easily say "yes, yes. Everything is fine!", but THAT would be shirking of duty if I didn't have concrete confirmation of such, hence why I went back for clarification.

Just wanted to briefly point out to anyone reading this that our team is really loose here.

Some of the accounts (such as support, ops, twitter) can be run by one of many people depending on the hour, etc.

We have a few people who live and breathe networks and security, a few people (like myself) who are tech and security aware (but who are masters of nothing :P) and who sort of facilitate stuff and do some light admin and management work, and a bunch of people who are basically doing triage. You will not always get a network-aware response, nor will you always get an immeditate reply if it requires an email to be sent off to a dev in one country or another, who may be sleeping or who may actually be off doing some other project. We're a small company, and many of us know each other by only a nick or a couple of initials or whatever.

So ya, just be aware that your feedback in this case was indeed sent off to devs, but the response wasn't sent back to the forum in a timely fashion - not the fault of the overworked help folks (some of who volunteer just because they want to help us out) so apologies if anything takes a bit to get back to the forum. I often tell people if you've got something really important, send it to and it'll be easier for the help folks to pass it off to the devs or biz folks if required if it's in an email.
by Graze
Mon Apr 14, 2014 6:54 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: URGENT: The Heartbleed Bug
Replies: 34
Views: 61079

Re: URGENT: The Heartbleed Bug

Operandi wrote:Thank you for the update, guys. That's a relief.
cryptostorm_ops wrote:HOWEVER ... we do have brochureware around such as this forum - which we will re-issue certs for, but on the scale of things, it's not a priority.
How soon should we expect an update of the forum's certificate(s)? I feel like changing my password.
Short answer is soon. But here's a longer answer...

At this time there are a couple things I'd like to personally point out:

1) It seems that people who have successfully grabbed private keys did so with either a VERY known set of params (such as spinning up an AWS instance THEN catching the keys quickly after) which sort of implies that spinning in a loop on a server while waiting for it to reboot so you can catch the keys right after is a possibility. But we didn't need to reboot in the period where a small set of people were ramping up hacks ... and otherwise it looks really hard to do and random. The sort of trial and error that takes a lot of time. Remember, we were only open for a short amount of time, so time matters.

2) Also, f I was a black hat, and if I had working code early on during this thing, what would I target? There are two choices that come to mind: Power, and money. I'd target a bank, or (if I wanted $'s) a crypto currency exchange or something, or a .gov if I wanted to do something with power. I'd not be targeting what to the world is a really, really low traffic forum full of people who use a VPN system. If I wanted a ton of passwords, and wanted to attack a forum, there are STILL some really REALLY high traffic forums unpatched and spouting off passwords with every refresh (remember that this vuln does NOT have to happen on port 443, so even if the site appears patched, some obscure MySQL or IRC or mail port that someone forgot about can - and often is - still vulnerable. So your password is likely still spewing out of other sites still as we type this - Just sayin' ;) )

So I totally get why you want us to hurry and patch, and why we should and will once all the required parties are online at the same time (I blame hookers and blow - and timezones. :P ) But this was not the sort of place where people would have spent those few precious early hours waiting for someone to log just so they can read a PM in if they had half a brain - and most of them do. And if you're worried about the NSA, as @thegrugq points out, remember the whole point to PRISM is they already have all your Google/Yahoo/etc. passwords :P

Just my opinion, but - again - I do agree we need to get on this.
by Graze
Wed Apr 09, 2014 6:36 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: URGENT: The Heartbleed Bug
Replies: 34
Views: 61079

Re: URGENT: The Heartbleed Bug

Graze wrote:... or IIS or ...
Now, is it my imagination, or is this one time that Microsoft is sitting back laughing, as IIS is surely (?) not OpenSSL :P
by Graze
Wed Apr 09, 2014 6:35 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: URGENT: The Heartbleed Bug
Replies: 34
Views: 61079

Re: URGENT: The Heartbleed Bug

parityboy wrote:@thread

Well done for catching this. :D How does this affect us client-side, now that the server side has been fixed? Do we users need to update out OpenSSL versions also?
Not unless you are running a server, I believe - HOWEVER, the number of items that use OSSL are massive. So if you've got some little java server or IIS or node.js, or RoR or ... whatever ... running on port 443 on your box... Ya. Watch that. We originally forgot our webhosting servers, and had to update those. Some companies are apparently just saying screw it and adding a firewall rule to block all heartbeats, which isn't a bad idea if you've got the infrastructure/topology for that. Makes doing the inventory something you can do later at leisure.

by Graze
Wed Apr 09, 2014 6:30 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: CLOSED: aleph tokens ~ unlimited duration batch
Replies: 33
Views: 57903

Re: aleph tokens ~ unlimited duration tranche

4*p*tV2b wrote:so in plain english, these are lifetime access tokens, lifetime access to cryptostorm

the invitation to purchase one of these is limited till when, assuming one has gotten an invitation?
You are correct, lifetime tokens, and as of this time I believe there are still a couple left, so if they stay unclaimed it's in theory an unlimited time offer ;) However, we're about to do another set of promos for those, I believe.
4*p*tV2b wrote: or is the email invite me, one is on the 'waitlist' , can't understand what ' sequential distribution via waitlist ' means
We got requests in order, so we're sending out invites in order. Honestly after a few weeks we have to assume people have changed their mind and thus we'd move on.
4*p*tV2b wrote: also being newbie: is 'darknet' synonomous with 'cryptostorm' vpn ?
I'm not the marketing arm, but basically darknet is a cute way to say hidden. There is a reason we have chosen that particular term which has something to do with some cool tech we have coming down the pipes, but at this time it's fine to think of us as a VPN. HOWEVER, we're a really solid post-Snowden VPN with DHE-based PFS (insecure fallbacks disabled) and with a cool and unique decoupled user-systems, thanks to the token concept.

4*p*tV2b wrote:lastly, with your services, what would be the process to change vpn servers, so that one's IP was randomized from time to time, or is that something done with cryptostorm? thankyou
We don't do any automagic floating of IPs around yet, but our v1.0 client (final testing) now has a dropdown for exitnode selection, making it far easier on the windows side to select an exit.

Hope that helps!
by Graze
Tue Apr 08, 2014 6:39 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: URGENT: The Heartbleed Bug
Replies: 34
Views: 61079

Re: URGENT: The Heartbleed Bug

We have updated all nodes to OpenSSL 1.0.1g and recompiled OpenVPN and restarted all servers. Sorry for any disconnects, but... ya.

On the bright side, we're not a bank or a bloody cryptocurrency site where there's actually anything of value behind the curtains. I'd HATE to be one of those guys tonight.

by Graze
Mon Apr 07, 2014 4:44 am
Forum: member support & tech assistance
Topic: No connection with windows 8.1
Replies: 5
Views: 8253

Re: No connection with windows 8.1

Ya, sounds like you and the widget are not working out - the OpenVPN solution works fine (really the widget is just a wrapper) and uses less CPU for some people.

Good luck!
by Graze
Sat Apr 05, 2014 7:00 pm
Forum: member support & tech assistance
Topic: Really slow speeds
Replies: 6
Views: 8692

Re: Really slow speeds

exempt wrote:I'd also like to mention again that for each of the exit nodes that you may not always end with the same host/server.
For example, using a config file with

And France is up on deck shortly - once we get past some pesky config issues with the provider. Then the next location, which is still up-for-grabs (though we're now in a position to quickly spin up locations thanks to some provider relationships and handy VM tech goodness which allows for quick deploys.)
by Graze
Fri Apr 04, 2014 4:30 am
Forum: general chat, suggestions, industry news
Replies: 4
Views: 12339


Good Q - Have seen these folks around the net, and they seem cool - but no info on the project(s)...
by Graze
Fri Apr 04, 2014 4:26 am
Forum: member support & tech assistance
Topic: Really slow speeds
Replies: 6
Views: 8692

Re: Really slow speeds

exempt wrote: ...
The USA and Canadian servers should be fast for you. Are you using ethernet or wireless? What are your ISPs advertised speeds?
Fair advice. Get a baseline # first and then compare the differences, but try out the North American exits. There's just so many hops when you go all the way to Germany and back - it's typically helpful to hit up a server that's pseudo-local to your backbone.

If you keep having issues, send a note to and they'll possibly put you on the alpha for the new client - which doesn't do anything for speed, but has a cool dropdown for selecting exitnode. ;)
by Graze
Tue Apr 01, 2014 7:39 am
Forum: independent cryptostorm token resellers, & tokens 101
Topic: Reseller page...points to...?
Replies: 2
Views: 23008

Re: Reseller page...points to...?

Yay, this has been addressed - finally. :)

On a larger scale, what this means is that any resellers have an opportunity to add a sales pitch here. No point in us doing so, as you know better than we do why you rock. :)

by Graze
Fri Mar 28, 2014 4:15 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: android cryptostorm howto DEPRECATED | go to
Replies: 35
Views: 47834

Re: HOWTO: openvpn for android cryptostorm (deprecated)

I am going to lock and (eventually) retire this thread, because ...

Tealc started another one that is less confusing here.

Thanks to everyone who worked on this!
by Graze
Fri Mar 28, 2014 4:13 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: android cryptostorm howto DEPRECATED | go to
Replies: 35
Views: 47834

Re: HOWTO: openvpn for android cryptostorm

acid1c wrote:These instructions are still relatively useful accept a few kinks have been worked out since. :)
I have a leakblock for android post in the leakblock subforum, with talks about using fdroid for means to download a firewall, the openvpn for android app, Firefox and others. I will gladly start an updated android post if need be, :)

Tealc already did, here: Feel free to add to that one, and I'll let this one stumble off into the distance. I linked to it in the first post here, and marked this thread deprecated.

Thanks again, all!!
by Graze
Thu Mar 27, 2014 8:16 am
Forum: general chat, suggestions, industry news
Topic: DesuStrike resigns from all froum duties
Replies: 9
Views: 17961

Re: DesuStrike resigns from all froum duties

Tealc wrote:I'm really sorry to see you go, sometimes, especially in the "OpenVPN config topic" I though that we where the only ones here in the forum :-D
I've loved the several debates about the configuration files and it's options, loved that I've found a way to put the configuration file up and working with no errors in the log's, and managed to do an auto-login feature with one single file :-D

Sorry to see you go, but I do understand your choice, and I think it's better to quit gracefully them to leave everything "die" and them quit.

Hope to see you soon

You know, it's hard to understate the amount of value that people like Desu, you, and all the other people who are working hard to make a difference have actually done here. I wrote a whole bunch of other stuff that was really over the top, but I deleted it all and replaced it with this:

Thank you. Without the help of everyone here, there would be no progress against the All Seeing Eye.

We'll keep iterating over this until it's so easy our grandmothers can click on some icon and know that no-one but their grandchildren will hear their voice. That will be sweet victory.

Sounds over-the-top, but that's what we're all building here. :)
by Graze
Wed Mar 26, 2014 10:12 pm
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: android cryptostorm howto DEPRECATED | go to
Replies: 35
Views: 47834

Re: HOWTO: openvpn for android cryptostorm

Jarmer wrote:are there any plans for an android app by the cryptostorm team?

also, all these instructions are quite dated now aren't they? is there any post or place where we can get a pretty simple and easy to follow "here's how to connect on android " ...?

otherwise thanks so much for all the instructions.
One of our devs did a branch of the older OpenVPN app for another VPN company. So there's tech savvy in house to make a "just type in your token" version. However, we still are finishing up the Window's widget and the Apple people are being vocal about how they don't have a widget... So hopefully soon is the best we can say on this. :P
by Graze
Wed Mar 26, 2014 9:19 pm
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: android cryptostorm howto DEPRECATED | go to
Replies: 35
Views: 47834

Re: HOWTO: openvpn for android cryptostorm

Hmmm. I have CyanogenMod 4.2.2 - And have not tried a VPN install for a long while (I have re-imaged my phone many times since the original posts in here) maybe it's time to give it another shot and see how it works out?

If you get AUTH_FAILED, the client has a cool feature to get a copy of the logs - you could email those to they might be able to figure out if it's a bad token or whatever.

EDIT TO ADD: Once we prove this install out - and the versions it works with - it makes sense for us to make the EASY version of this post into a static page on our website, instead of these wonderful discussions and debug sessions here.
by Graze
Mon Mar 24, 2014 6:14 am
Forum: general chat, suggestions, industry news
Topic: DesuStrike resigns from all froum duties
Replies: 9
Views: 17961

Re: DesuStrike resigns from all froum duties

Indeed, it will be a big very hole you leave, Desu, and let me thank you for all you have done. You have definitely helped massively as we have clawed our way out of the VPN muck. :)

Please know that the door is always open if your situation changes in the future, and even if you just pop in once a week or month or whatever, your input and awesome attitude will always be welcome!

All the best!
by Graze
Fri Mar 21, 2014 6:18 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: android cryptostorm howto DEPRECATED | go to
Replies: 35
Views: 47834

Re: HOWTO: openvpn for android cryptostorm

acid1c wrote:As for android only clusters, Ive had no problems connecting on montreal, germany, and iceland. and while seperate tokens are great to have, and essential for privacy purposes, 1 token does indeed work on multiple devices, I do have a leakblock for android thread, but for some reason i dont have edit perms anymore. :(
On the general forum issue stuff, we had issues with the PHP in the forum when we were playing with the skins a few weeks ago. Somehow we corrupted the thing - but just enough so that it was stumbling on, sort of. We have it stable now, but me and another dev did so by chaining our way through errors "oh, now the forum is complaining that it cannot find the blah.php file, so let's just copy that over from the standard theme directory", etc.) side effects seem to be:

1) Some of the more obscure functions are not working 100% correctly. For example, when we switched our BitMessage address over, I went to PJ's signature to change it there, and the admin function that allows you to edit signatures with a cool WYSIWYG editor totally corrupted it, and did not allow me to get it back until I logged into MySQL and changed it there. So ... I'm scared to change anything! :P
2) Some mostly benign issues remain, such as some of the moderation functions (these didn't throw as many errors so we may not have fixed them all) - so if you see any issues, send a note to and one of us will be lucky enough to have it sent to our attention, and we'll roll our eyes and roll up our sleeves. ;)

Thanks again for the support!
by Graze
Fri Mar 21, 2014 5:58 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm's network access widget, rev. 0.9 public beta
Replies: 21
Views: 62910

Re: cryptostorm's network access widget, rev. 0.9 public bet

spotshot wrote:did the 10 already have tap installed from previous support,
I tested on clean windows install without any previous tap installed
Indeed, those were mostly people who complained about issues when migrating from other services. Interesting!

Thanks again, I think that's our smoking gun!
by Graze
Fri Mar 21, 2014 5:47 am
Forum: general chat, suggestions, industry news
Topic: [UNOFFICIAL STATEMENT] about the current forum situation
Replies: 12
Views: 22034

Re: [UNOFFICIAL STATEMENT] about the current forum situation

vpnDarknet wrote:I don't know if this has been suggested before, but how about a wiki page.
That would be lots easier to maintain, search, navigate, and moderate than the discussion forum, and I have no issues hosting it, or a version of it.
Now you are into a religious argument between me and at least one other person here.

I love wikis. I use them all the time, and I actually use a personal one that just has all those little snippets of code one accumulates over the years, and wherever I work I try to set one up and get everyone else to use it. The argument against it is that a wiki takes staff time to maintain. This can be somewhat valid, however, as seen on a million open wikis out there (Minecraft, etc.) they are pretty much self-maintaining once enough people care about the content.

So .. thank you! If anyone else is a fan, please say so, and we'll see where that argument ends up. :)
by Graze
Fri Mar 21, 2014 5:43 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm's network access widget, rev. 0.9 public beta
Replies: 21
Views: 62910

Re: cryptostorm's network access widget, rev. 0.9 public bet

spotshot wrote:tested new setup_v0.99.exe

installed on XP pro, Win7 x32 and x64 and windows 8.1 x32
connection hangs on all OS's, will not install the TAP driver,
confirm by installing open VPN, this installed the tap, then I could connect
using the client.
Yikes... OK, well... That sucks. Odd thing is we sent it to about 10 people who had support issues and all 10 were happy. Really odd.

But thank you so much for the feedback! Will send it in to the devs and see what's up.

Apologies for the issue.
by Graze
Thu Mar 20, 2014 7:22 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm's network access widget, rev. 0.9 public beta
Replies: 21
Views: 62910

Re: cryptostorm's network access widget, rev. 0.9 public bet

So, our lead dev is working feverishly on the v1.0. That should be in alpha shortly. The helpdesk did some beta work on the above v0.99 with some clients, and it has shown itself to be stable, and to play well with existing TAP driver issues.

In the meantime, some notes from our devs on the installer...
for everyone who's getting false positives with their AV scanners, have them look at .
NSIS is used to make the setup.exe installation file, and since it's free and open-source, it's used by some malware.

The other false positive we see (according to ... 2d954f3b2f )
is in the libeay32.dll file, which ClamAV reports is infected by "PUA.Win32.Packer.Pseudosigner-35".
However, ... 394987101/
doesn't see any such infection, and it also includes a scan from ClamAV.

The libeay32.dll file used in the widget comes directly from , which is linked on the official OpenSSL site . So it's clean.
by Graze
Thu Mar 20, 2014 7:07 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm's network access widget, rev. 0.9 public beta
Replies: 21
Views: 62910

Re: cryptostorm's network access widget, rev. 0.9 public bet

Here's an update to the client:


Fixes a couple of the TAP driver issues, and also fixes some install/uninstall issues. Probably does not address the CPU issue as that issue was not targeted (we took a quick look and it seemed to be a "feature" of the TCL engine, so that was not dug into at this time - it's still on the list to investigat, however.)
by Graze
Thu Mar 20, 2014 7:00 am
Forum: general chat, suggestions, industry news
Topic: [UNOFFICIAL STATEMENT] about the current forum situation
Replies: 12
Views: 22034

Re: [UNOFFICIAL STATEMENT] about the current forum situation

Operandi wrote:Thanks for the information, DesuStrike. Indeed, I felt that the forum has become less lively as of late.

Speaking of configs: I think I found out how to fix the latest official one for Windows (which simply doesn't work). Could you ask someone in charge of these things to take a look at the beta thread?
Done. I increased the config version to 0.93

Thanks again!
by Graze
Thu Mar 20, 2014 6:56 am
Forum: general chat, suggestions, industry news
Topic: [UNOFFICIAL STATEMENT] about the current forum situation
Replies: 12
Views: 22034

Re: [UNOFFICIAL STATEMENT] about the current forum situation

Just wanted to chime in here with another apology (I just did one over on the windows non-client thread where Operendi and all were patiently waiting for feedback)... Things have been very busy, and we just don't have the staff for massive levels of support, so when all our techs are off on development binges or off at conferences or on much needed vacation or whatever, we create a beach head at (making sure that people who just paid can actually connect) and some of the other functions like keeping up with the forum fall back a bit. So the hint there is - as Desustrike says - you can always get a human in an emergency (with a caveat I'll mention later.)

I'm personally working on a few different projects at the moment (also currently unpaid as basically cryptostorm is paying it's own server bills currently and not much else) and am a bit low on CPU cycles to do all the things I want to be doing for the team. I'm sorry about that. I have great intentions, I keep saying "wow, yes, that's cool, I want to help on THAT!" but... Ya. Stupid needs for food and sleep get in the way. :P

Anyway, that said, I want to say a few thanks...
1) Thanks to Desu for all the hard work - unpaid, just because he knows this is really cool stuff that is happening here
2) Thanks to everyone else who is also pushing the pebble up hill. Slowly things are evolving and improving. And without your help, it wouldn't be worth it.

Oh ya: The caveat about support is sometimes people ask things that front line staff cannot answer, so they send that to the techies. Those guys may be able to answer immediately, or maybe not. I apologize as well for those incidents: We now have things fairly stable, with a few exceptions, but then when someone has one of those Windows boxes that refuses to send packets, it can get really labor intensive and then we're in for a wait. The main issue there is keeping the customer informed, I think. We've not been perfect with that - at all.

I'll talk to PJ about the moderator issues. I have no issue with mods, of course, but I'm not really great with forums, so I don't want to screw anything up. :P

Thanks again!
by Graze
Thu Mar 20, 2014 6:20 am
Forum: cryptostorm in-depth: announcements, how it works, what it is
Topic: cryptostorm: non-widget Windows config file beta testing
Replies: 27
Views: 45996

Re: cryptostorm: non-widget Windows config file beta testing

Okeydokie... First off, this:

Serious apologies on all the AFK-edness. :P Most of us are only part-timers, and some of us are on other super-duper projects that seem to ebb and flow and basically - when it rains, it pours. It seems like everyone is off in other timezones and on other cool projects for the last week (on the bright side, one of the projects is the 1.0 version of the Windows widget, which is really nice, and solves a number of the sadnesses the current version has...)

So. That said, two more things:

1) We try not to skimp on support, so the email is a good way to get a human within a few hours, depending on coverage, urgency, etc.
2) Thank you so much for your help debugging this

I don't know how to stress #2 enough, but the footwork you have done in this thread is priceless.

So... Ya, thanks.

We will try to get those changes in shortly. I'll just want to check with staff to see what all points at that existing link so that I don't dangle references to the old file.

Thanks again!!
by Graze
Mon Mar 10, 2014 1:59 pm
Forum: member support & tech assistance
Topic: Expired Tokens Not Expiring?
Replies: 3
Views: 5145

Re: Expired Tokens Not Expiring?

And... it's up to me to reply.

Basically, the whole thing is setup different than most VPNs, in that we don't have a central customer database. The side effect of this is we have lots of little databases with the token hashes in them, and ancillary data. We use "replication" to keep those in sync with each other, which is a bit of a side issue, but it basically means the databases are supposed to talk to one another and agree on start dates and stuff, but obviously there's an issue in there with that. Our tech team will have to take a peek at that.

I _believe_ that all start dates are UTC, but I would have to further ask the neck beards here.

by Graze
Wed Mar 05, 2014 5:23 am
Forum: member support & tech assistance
Topic: Orphaned tokens. They need a home!!
Replies: 2
Views: 4521

Re: Orphaned tokens. They need a home!!

Eboman wrote:I'll take one, if it makes you feel any better.

LOL. Well, it's nice to give them a home, I just want to give them to the folks who filled out all the adoption papers. :thumbup:
by Graze
Tue Feb 25, 2014 6:30 am
Forum: member support & tech assistance
Topic: I've installed the widget, but it "hangs up" - help!
Replies: 11
Views: 9190

Re: I've installed the widget, but it "hangs up" - help!

I have over the years had this happen with CryptoCloud, and a couple of other OpenVPN clients. I briefly had an issue with cryptostorm when we were still in alpha, but then realized I had other, older OpenVPN stuff installed and got rid of that (with reboot!) and reinstalled and all was good.

Anyway, I wonder if the use of the Windows DevCon tool will be an aid to learning what's going on with "stuck clients"?

Here are the docs: (the EXE download is near the top of the page)

Code: Select all

Device Console Help:
devcon.exe [-r] [-m:\\<machine>] <command> [<arg>...]
-r if specified will reboot machine after command is complete, if needed.
<machine> is name of target machine.
<command> is command to perform (see below).
<arg>... is one or more arguments if required by command.
For help on a specific command, type: devcon.exe help <command>
classfilter          Allows modification of class filters.
classes              List all device setup classes.
disable              Disable devices that match the specific hardware or 
                       instance ID.
driverfiles          List driver files installed for devices.
drivernodes          Lists all the driver nodes of devices.
enable               Enable devices that match the specific hardware or 
                       instance ID.
find                 Find devices that match the specific hardware or 
                       instance ID.
findall              Find devices including those that are not present.
help                 Display this information.
hwids                Lists hardware ID's of devices.
install              Manually install a device.
listclass            List all devices for a setup class.
reboot               Reboot local machine.
remove               Remove devices that match the specific hardware or 
                       instance ID.
rescan               Scan for new hardware.
resources            Lists hardware resources of devices.
restart              Restart devices that match the specific hardware or 
                       instance ID.
stack                Lists expected driver stack of devices.
status               List running status of devices.
update               Manually update a device.
UpdateNI            Manually update a device without user prompt 
SetHwID              Adds, deletes, and changes the order of hardware IDs of root-enumerated devices.
It would be a stunningly dangerous tool "hey, Mom, type 'devcon disable keyboard' (or whatever) and press enter!" :P but if we can figure out what's getting those few people stuck, that would be great.

Oddly, while we're doing research a couple people have just done one more uninstall-reboot-install-reboot cycle and somehow got it up and running, which is baffling.

Windows, Y U NO Make Sense!

I'll maybe gently play around on my test box and see if this offers any insight at all.
by Graze
Mon Feb 17, 2014 4:35 pm
Forum: crypto, VPN & security news
Topic: [TF] Canada Wants VPNs to Log and Warn Pirating Customers
Replies: 5
Views: 6902

Re: [TF] Canada Wants VPNs to Log and Warn Pirating Customer

parityboy wrote:n combination with a notice policy and fines are a disaster for VPN providers, and that’s not an overstatement.
I generally notice that when people explicitly claim something is "not an overstatement"... it usually is. Sort of like when people say " me, I'm being totally honest with you here - they're not.

And that's no overstatement - honestly! :mrgreen:
by Graze
Sat Feb 15, 2014 8:03 pm
Forum: member support & tech assistance
Topic: I've installed the widget, but it "hangs up" - help!
Replies: 11
Views: 9190

Re: I've installed the widget, but it "hangs up" - help!

OK, what usually works is a slightly different thing than above, but it's close:

1) Uninstall any other VPN stuff (OpenVPN, Cryptocloud, etc.)
2) Reboot (don't skip this!)
3) Follow these instructions:

Basically, as I understand it, we're using the latest OpenVPN versions and we are not allowing it to downgrade if it fails to find the latest version (intel thx to Snowden), so if there are previous versions they basically block correct operations.

Please try this and tell me if it helps.

PS: If you can email that's a somewhat faster way to contact us. If not, no worries, we'll get to ya. :)