A few days back, I came across this tweet
from @MattBlaze. It doesn't say anything that security professionals aren't already supposed to know, but it got me thinking nevertheless...
This is not a controversial statement, in other words. No system is perfect - there's only a baseline, and then improvement. And improvement comes from honest assessments of how a system is performing: you can't improve something if you don't know it needs improvement. All pretty obvious statements - indeed, they're close to being platitudes.
In the "VPN industry," which I've observed from a close range since back in 2006, this is so far from the norm as to be an almost mythical ideal. In this "industry" (I'll drop the "scare quotes" now; point being that an industry implies a degree of cohesion and meta-organization, which the VPN world basically lacks entirely), there's a surfeit of hype and unfounded claims and random insertions of sounds-good text into just-written websites for newly-created companies.
I know personally of examples where text written in one company's website or promotional materials has been cribbed verbatim and pasted into other company usage - with no concomitant change in, you know, the actual operations underlying the business! The most classic example of this is how "no logging" went from something revolutionary in the industry, to something that's now a me-too claim made by basically everyone. And yet, how many of those companies actually don't log? Just this week, I became aware of one company who - whilst at the same time proclaiming a no-logging policy in public, loudly so - was admitting in email correspondence that they have logs and can thus track down anyone "abusing" their network, no problem. And that's just one example of many.
So, yeah... this industry is rife with bullshit, hype, and overblown security claims that simply don't stand up under inspection. Applebaum has made these criticisms in a recent paper
, and the sad truth is that he's entirely right about that. Selling snake-oil bullshit has become a de facto
best practice in the VPN industry. It's a race to the bottom: each company tends to push that envelope just a little bit more
: overpromising, underdelivering, overhyping... and the ones that do that best get more attention from the press, more customers, more (short-term) success, and thus put pressure on others to play along.
That's how, in the short term, the bullshiters get ahead of the game. Hype, and underinvestment in real technology, and - yes - gutter attacks against other legitimate VPN providers are the tools of the bullshitters and those tools are very much in play.
But is this good for the VPN industry, let alone the actual customers
themselves? Obviously not! With each iteration of the "scummier-than-thou" approach to the business taken by prominent VPN companies, the world of prospective customers discounts further and further anything said by anybody
in the industry: it becomes like buying from a used care salesman: you expect her to lie, it's just a given. That's where the VPN industry is going, and it's going there steadily and consistently.
What gets lost in this is genuine innovation, amongst other things. Let me ask the readers this: name one - ONE - genuine innovation in the VPN industry in the past three years
. How about it? I can't think of one. How fucking pathetic is that, seriously! What other industry - let alone technology
industry - comes up with basically zero innovations over the span of THREE YEARS' TIME?
And this is happening in the context of a world where threats to privacy and security online are increasing at an increasing rate: accelerating, geometric increase... all but asymptotic. From governments and dragnet mass surveillance to organized ID theft and banking creds theft groups - it's all getting harder, faster, scarier, sharper. This is not a standstill target; no, this is a situation where the world - and the market - is changing and evolving like crazy. But the VPN industry? It's still recycling the same shit that companies like Cryptocloud first pioneered back in 2007... six fucking years ago
Yes, that's directly tied to the tweet which started this article. The VPN industry is incapable of admitting problems
, either as an industry or as individual companies. Thin-skinned kids react like spoiled brats when someone makes a constructive critique of anything relating to their cash cows, err, fancy hi-tech VPN businesses
. Nobody is willing to accept criticism - let alone actively seek it out. Code isn't audited; fuck, code isn't even released. Fuck... nobody even asks that code be released.
You can see my point.
That's got to change. Simply put, it's got to change. If it doesn't, the VPN industry is going to be left behind as the world moves forward. Alternative projects will catch up the usability gap (like Tor), and customers will ditch paid VPN services as if they were Betamax VCRs in an era of torrent swarms. All these kids getting "rich" by overhyping me-too VPN models will have to go back to real jobs. The boom will turn to bust - because of lost, permanently burned trust from customers. It's happened to other industries before; there's no law that says an industry will exist forever. Anyone remember paid screensavers from the 1990s? Berkeley Systems? The buggywhips of today...
Someone in this industry is going to step forward and start behaving like true professionals: actively seeking critique from other security pros, actively improving operations, actively publishing code and network specs, actively deploying genuine service breakthroughs... just like "real" companies do in real industries. Whoever does that will be savaged by competitors, and likely will be cold-shouldered by "journalists" who like the existing setup where choosing a VPN service is basically a popularity contest refereed by whatever blog is popular this year.
But some journalists will see what's going on, and report on it. Some other companies in the industry will step up and show leadership. And, of course, customers will know: they'll know who is legit and who is full of shit
. They always do... eventually.
If this post sounds a bit like a broadside against the status quo, and also a premonition of some pending announcements... good! It is. Both. I'm just some random academic-in-exile dude who's been around the industry long enough to see it evolve, but is far enough removed to be able to call bullshit when it's knee-deep and growing. And I have, and I am.
Time for the next chapter in the "VPN industry" - where network security companies grow up, and take a leadership role in protecting people all over the world from bad things online. The demand is there: enormous, and growing. What's missing is professionalism, and competence, and integrity. And everyone knows it.
So that's how I react to the flaws in the industry: I react with honestly, and with a genuine desire to be part of dramatic positive change. Things aren't good right now, and they have to get better. Acknowledging that is the first big step towards making it so.
Let's make it so...