Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

cryptostorm: on security, elegance, & changing the world

Looking for a bit more than customer support, and want to learn more about what cryptostorm is , what we've been announcing lately, and how the cryptostorm network makes the magic? This is a great place to start, so make yourself at home!
User avatar

Topic Author
Posts: 159
Joined: Sat Mar 02, 2013 12:12 am

cryptostorm: on security, elegance, & changing the world

Postby cryptostorm_team » Sat Oct 26, 2013 3:33 pm

Well, it's been a week now since we made our network available to outside connections - a beta launch we've been working on for several months... and, in truth, features we've been slowly building towards for years. In particular, our token-based authentication system has been a gleam in our eye since at least 2008.

Now, it's a reality.

We've been really pleased by the support and assistance that's come forth from the community during this beta testing phase. Many folks have stepped up to help test out network connections from various platforms and using various client-side tools, and we've had sharp-eyed folks catch typos on our website, broken links in the forum, and various rough edges here and there. This kind of engagement from the community is enormously helpful, as there's just no way a small team can do that kind of full-scale test assessment in-house; if we did, it'd take years to build out the network and related systems architecture... which would just be useless.

Additionally, folks have come forward to purchase network access tokens - despite the fact that we're very much in beta testing mode, and things are still far from elegant when it comes to "user interface" features (see below, for more details). That's a tangible form of support that really has helped us keep focused on making this project the best, most secure, most scalable, most durable, most resilient, most member-friendly secure network in existence.

Thank you.

A week into the beta launch, we'd like to share a few observations from the team:

The Beta Testing Decision

The choice to deploy the network in beta testing was made when we reached a comfort level with the overall security architecture and network auth systems. We launched before our network access widget is even ready for beta testing! The launch decision has helped us see ways to further improve the scaling capabilities of our backend systems - which was our goal - without requiring us to be ready with fully-polished client-side applications. That's enabled a multi-track approach to network improvements, and has really helped accelerate our progress overall.

"User Friendly" Tools & UI/UX Prioritisation

Without hesitation, we want to be really clear about something: we consider member-friendly tools to be equally as important as strong, well-implemented cryptographic technologies when it comes to deploying a genuinely useful secure network! We refer to "member-friendly" tools, rather than "user-friendly," because the latter has a derogatory tone, to our ear, that we feel is inappropriate. Rather, member-friendly tools are the gateway that allows serious cryptographic systems to be made available to a wide range of people - not just those with deeper tech expertise. Without that ability to provide protection to a wide audience, even the best "security technology" is useless against state-level surveillance machines and the Orwellian nightmare of NSA dragnet spying worldwide.

This is a topic on which, we as a team, are absolutely unbending: without elegant interfaces to strongly-secure systems, these systems are useless in real-world circumstances. If there isn't a "make it work" button that does exactly what it says - make it work - then the project has failed, period. The best secure network "client application" is one that doesn't exist: it fades into the background, doing what must be done reliably, securely, and with a "fail closed" approach to boundary-state circumstances.

One of the reasons our client access widget isn't ready for testing already is that we've pushed it through countless rounds of iteration in order to make it simpler, more elegant, and as "drama-free" as possible. We argue - with strong support from a host of academic studies and extraordinarily wise security experts - that a tool that is elegant, streamlined, and shorn of useless crap is by definition more secure than a bloatware-laden, complicated, unreliable "bells and whistles" monstrosity of an application. Less is more: do one thing - secure network traffic - and do it very, very well. This is our approach.

So How Does The Circle Square?

There's an interesting juxtaposition between our stated commitment to elegance in member-interface design, and our decision to roll out a beta network with essentially zero member-interface polishing whatsoever! Are we true to our word, or is there a split between what we say and what we do?

The decision we've made is to "proof" the network backend before opening up to wider community availability - this is fundamental, as connecting people to an insecure network is worse than useless. However, at the same time we feel we can best fine-tune our member-interface tools in collaboration with the community, post-launch, rather than trying to do that work entirely in-house. Since interface elegance is, by definition, measured by how it actually plays out in actual member-use scenarios, there's no sense of pretending we can do this ourselves - without extensive community feedback. So we've not pretended.

Further, when providing support for a wide range of platforms, and operating systems, and local configurations, it's all but impossible to preemptively test out every access configuration in advance. One of the powerful benefits of a beta test is that we can listen to feedback from folks with a vast range of local machine setups - and work with them to make whatever adjustments are needed to support the widest possible range of client setups. That's really effective.

So, in a sense, we're building out the member-interface side of things on the fly. This might not be entirely conventional (although lots of "agile" development models, in the deeper tech world, nowadays do exactly this as a core strategic decision), but for us it allows for a better, faster, more broadly-tested deployment. It's quite a bit of work for our team - all the feedback comes in and must be routed, digested, acted upon, and so forth - and it's of course work for our beta testers, as well. But the end result is a better network, with more elegant member-interface tools, for everyone. A big win!

Is Good Security Only For Hackers?

In a word: no.

And that's the whole point, isn't it? Any of us on our team - and many folks reading this post - will know how already to protect themselves with freely-available cryptographic tools. Yay for us. That's not going to do a damned thing to counter NSA-style illegal surveillance - it just leaves the rest of society that much more vulnerable to dragnet spying... and that's unacceptable.

Designing, building, improving, and managing security systems that are both reliably effective against intensive attack vectors and also elegant enough for non-geeks to use isn't easy. Not at all. But it's entirely possible and, franky, it's not the proverbial rocket science. The challenge lies more in taking off the "aren't we cool, we know so much about tech" chip on our shoulders, and humbling ourselves in the face of normal folks. Normal folks are people with lives, who don't want to burn time and energy learning the intricacies of crypto tech. That choice - to do other things than study crypto algorithms or systems-theoretic security models - is a healthy one. Sure, we're geeks - we love this stuff. But that makes us no better than anyone else. Indeed, it forms a sort of duty... a duty for us to use our expertise to create tools that allow other folks to benefit from what we know, as well.

That's our approach. Our job is to do this stuff right, tech-wise, and to do it so it's easy and elegant for everyone. This isn't a "geeks only" project. Well, ok, let's say this: during beta testing it's pretty much requiring some expertise with tech that's not widespread in society. That's, as we said above, a part of our testing/rollout methodology and most assuredly not some kind of acquiescence to a long-term "geeks only" status. Absolutely not!

We're geeks, and we're proud to be geeks. As are many of our members, our supporters, and those in the community who have helped this project come into existence. We're taking those skills, and experiences, and wisdoms, and we're baking them into a system that embodies them in a way that doesn't require geek status to operate. The "make it work" button, in real life.

The Next Steps

This first week of beta testing has been wonderful, honestly so. Not a figure of speech, but actually wonderful. Exciting, as something we've worked hard in behind the scenes births into a real system in the real world. Feedback from smart, dedicated, careful beta testers that's allowed us to zero in on dozens of improvements, in a flurry of fine-tuning. And, yes, some security-level holes (we're hunting a few DNS leaks in some client configurations; that's the big one right now) that we're quickly plugging. This is when things go from theoretical discussions to something... well, something real.

Next week, we're moving into an "official" launch - no longer testing, but a real rollout. The widget will be released on Monday, albeit with some fine-tuning to go as we move forward. We've got a couple of token resellers ready to go, hopefully Monday, to expand the options beyond Bitcoins and payment via Paypal (those two are already in place now). And we're going to make some wider announcements of the network; so far, we've only mentioned things to our existing customers, and to folks who follow us on twitter. Next week, we spread the word a bit further.

There will be lots of things to improve, to add, and to adjust as we go forward - that's true for any healthy tech project. We don't see a "code freeze" for the network, ever. Rather, our model is intrinsically dynamic - an ever-evolving approach that reacts to new threats, improves security against known threats, and all along works to improve member-interface elegance every step of the way. That's the "business" we're in, at core.

Shiny, Pretty, New..?

Oh, yeah... we've got some cool shit coming down the development pipeline, too. Protocol obfuscation. Leakblock integration. Local routing-table (& metric) modifications. Fast-flux based exitnode-auth redundancy to protect against Great Firewall-style DNS blocks on auth resources. VM-bound, OS-integrated network connection integration. USB image, VM-derived ephemeral secure network environments available as downloadable, self-installing iso's. Widget installers pre-loaded with auth tokens & disposable once the tokens expire, for maximal decoupling of temporal sessions. Token "wallet" functionality in the widget, to enable automated loading of new tokens without fiddly intermediate steps. Multi-layer token distribution structures to act as "token tumblers" and provide zero-knowledge proofs of token anonymity for buyers. Bitmessage-based token wallet loading tools. Blockchain-based public auth systems decentralisation. Opensourcing of exitnode management framework to enable broad community oversight & attack the "evil exit node" challenge. Token "chaining" for zero-knowledge proofs of physical IP nexus...

We've got a whole roadmap of stuff to do, as we move forward. Some of it's very, very interesting - and will change how we all think about 'network security' and what is possible in protecting against the most persistent, advanced, well-resourced threat vectors in existence. Plus, of course, additional activist outreach and additional support for others working hard - and taking real risks - to secure a free, open, diverse future for us all.

Then, there's the cleanphone project...

The shiny, pretty, new things are something we don't talk too much about publicly; it can seem a curse - "Duke Nukem" syndrome, vaporware 101. But sometimes it's ok to lay out a larger roadmap, a sense of where things are heading. In that regard, protocol obfuscation is really the neutron-star core of our future development. It's a big deal.

- - -

We don't have a "marketing department." We don't do "affiliate links," and we don't bribe "VPN review" websites to lie about how amazingly cool we are. To hell with all that. We also don't pull punches when "journalists" puff up advertisers who are deploying encraption: cryptographic systems with so many implementation flaws that they're nothing but security theatre.

Instead, we focus on our members, the community, and the technology.

Let someone else go out and fiddle SEO gimmicks to trick Google into thinking they're a credible security company (that means you, Hide My Ass aka Snitch My Ass). That's not us. We'd rather do something genuinely better, than waste time and effort trying to trick the world into think we're doing that when in fact we're just spinning bullshit. it's surprising how rare that approach is, but that's how things play out. "So it goes..." as Kurt Vonnegut succinctly put it. So it goes.

We're out to change the world.

That means we're doing things unlike others do things - that's not a bug, it's a feature. We might make mistakes - heck, we'll certainly make mistakes and already have - but we'll correct them, learn from them, and get better every step. With community engagement, community critique, and public review of what we're doing, we stand a fighting chance to make things better for everyone.

And that's our goal. We want to see these tools in the hands of millions of people - not a few thousand, thanks. Millions. There's a few billion people using the internet every day; how many have protection from surveillance... real protection? A few hundred thousand Tor users, perhaps? That's, what, less than 0.01% of internet users? That's pathetic. Sorry, but it is.

If we want to turn the tide against the global surveillance machine, we need to put these tools in the hands of a few hundred million folks... for a start. Shoot for a billion, go from there. That's the big picture, and we're in it to impact that picture - not to play in the kiddie pool. There's enough kids out there splashing around in the yellow-tinged shallows. Someone's gotta go out into the sharky, deep waters and face the ocean.

That's us.

Thank you, again, for your support and your encouragement and your sharp critique and your "it's broken" missives, and your suggestions and above all else your patience as we make this thing come alive. We're mortals, the team here: just ignorant monkeys doing our best to manifest a soupçon of wisdom, and perhaps be of some use to the rest of our world along the way. We're imperfect - but we're honest enough to reach out and lean on others to help lessen those imperfections and, together, make us stronger as a result.

Stronger we shall become, day by day. That's how we're going to change the world: together, one step at a time, sights set high.


    ~ cryptostorm_team
cryptostorm_team - a shared, team-wide forum account (not a person)
PLEASE DON'T SEND PRIVATE MESSAGES to this account, as we can't guarantee quick replies!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-2cTMH8K5JnjbfSALjZtSkRWCLfc3Tr8GBV
support team email: [email protected]
live chat support: #cryptostorm

User avatar

Posts: 346
Joined: Thu Oct 24, 2013 2:37 pm

Re: On security, elegance, & changing the world

Postby DesuStrike » Sun Oct 27, 2013 3:15 am

This is truly an extraordinary post!

I stumbled upon cryptostorm by total accident and I am very glad I did so. The team running this project is really amazing and totally different from what I experienced so far in the VPN-Industry. I think you guys truly believe in what you say and I agree with your plans and views across the board.

I hope I can be helpful along the way and I encourage everyone to join in!
Projects like this one are an important part in the fight for privacy and freedom.

Let's help the cryptostorm_team help us!
home is where the artillery hits

Posts: 16
Joined: Sun Oct 20, 2013 4:58 am

Re: On security, elegance, & changing the world

Postby mrwaldo » Sun Oct 27, 2013 6:09 am

I've been looking for a VPN provider to replace my current provider *cough*PIA*cough*
Glad that i found you guys! Can't wait to see what you guys have to come in the near future.

Posts: 97
Joined: Tue Jan 01, 2013 11:21 pm

Re: On security, elegance, & changing the world

Postby Rider » Sun Oct 27, 2013 8:54 am

DesuStrike wrote:
Let's help the cryptostorm_team help us!


Posts: 97
Joined: Tue Jan 01, 2013 11:21 pm

Re: On security, elegance, & changing the world

Postby Rider » Sun Oct 27, 2013 8:58 am

mrwaldo wrote:I've been looking for a VPN provider to replace my current provider *cough*PIA*cough*
Glad that i found you guys! Can't wait to see what you guys have to come in the near future.

+1 Going by CryptoStorm's recent beta rollouts, CryptoStorm has lot to offer. It will take some time before we get the polished product since, it has few bugs. To be honest, I can't wait until the software is released. I am not a big fan of using unknown software on my computer.

User avatar

Posts: 1493
Joined: Sun Dec 16, 2012 6:34 am

Re: On security, elegance, & changing the world

Postby Pattern_Juggled » Tue Oct 29, 2013 6:37 pm

Rider wrote:To be honest, I can't wait until the software is released. I am not a big fan of using unknown software on my computer.

The widget has been in development for months, and I think - based on the limited alpha testing I've seen of it so far - it's going to be pretty impressive. It's fully opensource, with code published from Day One. To me, that's an absolutely essential prerequisite for any security tool that wants to be taken seriously.

In the meantime, just to be clear, all the tools being used to enable "raw" network access are opensource, peer-reviewed builds of the core OpenVPN engine itself. They might be "unknown" in the sense of not being familiar to a given network participant... but they're certainly not unknown in the sense of the larger security community. Indeed, source for all these tools is both easily available (via git) for direct code review and - just as important if not more so - easy to self-compile to ensure that production binaries match known-clean source materials.

True, for folks using repositories to grab "current" builds of OpenVPN (for example), there's a trust element in assuming the repository is pushing out non-crippled tools. But self-compiling is right there as an option, always - and that can be done without even needing git, but rather via tarballs grabbed from the latest builds & manually checked for hash matching.

The one exception, afaik, is the Viscosity client for Macs - which isn't opensource.

Anyway, the downside to these "raw" connection tools is that they're far from member-friendly and require way too much fiddling for most nontechnical folks. Hence the need for the widget - which is build to span platform and OS, structurally, so it's got a unified security architecture and a unified update trajectory going forward.

I know the customer support folks are as keen to see the widget roll out as anyone - since they're fielding the questions from members seeking to make sense of the "raw" tools even if they've not used such things previously! But we're not going to rush the widget onto the wire, any more than we've rushed anything about the project thus far.

Thanks again for the feedback, suggestions, and critique...
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
[email protected]ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github


Re: cryptostorm: on security, elegance, & changing the world

Postby Guest » Wed Oct 30, 2013 9:36 am

Can you elaborate on the cleanphone project? or link to an information page somewhere?

Return to “cryptostorm in-depth: announcements, how it works, what it is”

Who is online

Users browsing this forum: No registered users and 3 guests