Who are or is CryptoStorm?
Now, this innocuous sounding question is in fact very difficult to answer, and is also surprisingly … er… colorful. As far as we have been able to piece the story together…
CryptoStorm is a reincarnation of VPN service CryptoCloud, a subsidiary (or possibly close working partner) of Baneki Privacy Computing, the CTO of which was a certain Douglas Spink (it has been widely reported that Mr Spink was the owner of both CryptoCloud and Baneki Privacy Computing, but a current spokesperson for CryptoStorm maintains that ‘Baneki Privacy Labs is not “owned” by anyone. It’s a collective of security researchers, as it has been for many years.’
Spink, a once successful American entrepreneur and adrenaline junkie who lost his millions and filed for bankruptcy in 2002, was convicted of smuggling 375 pounds of cocaine (valued at $34 million) in 2005, and arrested for running a bestiality farm in Canada in 2010. Given the large amount of drugs that Spink was convicted for smuggling, it seems rather strange (read suspicious) that he was released after only 3 years of a 17 year sentence (and nothing much seems to have come out of the bestiality charges). The only plausible explanation is that Mr Spink cooperated heavily with the authorities.
We reviewed CryptoCloud a few months ago, and to be honest the reviewer (not the writer of this article), was less than impressed. However the company has recently reinvented itself as CrytoStorm, and offers some very interesting new ideas, billing itself as a structurally anonymous, token based darknet, based in Canada. Whether Mr Spink is involved in the ‘new’ company is less than clear (an anonymous spokesperson for CryptoCloud says not, but as that spokesperson may in fact be Douglas Spink, we don’t know how far to trust this). The fact that the entire CryptoStorm team has chosen to remain anonymous only muddies the water further.
Given how shady the whole setup looks, you might be forgiven for wondering why we are even taking the time to review this provider. Well, the answer is that CryptoStorm’s token based authentication idea is possibly revolutionary, the company has made something of a name for itself with its campaign for privacy companies to take a ‘seppuku pledge’, and because not all of its publicity has been negative. In August it was Baneki Privacy Labs and CryptoCloud who identified an exploit in the Tor browser (used as part of the Tor Browser Bundle) which de-anonymised users, and sent their details to an IP address associated (maybe) with the NSA.
Token based authentication
As is explained at impressive (if slightly tedious) length in its documentation, the core idea behind CryptoStorm is to build a VPN system that de-couples payment from access to the VPN, so that CryptoStorm (the VPN provider) does not know who you are. Now if done carefully, then paying for a VPN service using Bitcoins can already provide a high degree of anonymity (although a VPN provider will always be able to ‘see’ its users’ true IP addresses if it so chooses, and CryptoStorm is no exception), but this token based system does offer an additional level of obfuscation to the payment process (and the token can themselves be paid for using Bitcoins).
The system basically allows you to buy ‘tokens’ that authorise you to use the service for a certain amount of time. These token can be bought either directly from CryptoStorm or, once the service is fully up and running, from third party vendors (thus putting greater distance between yourself and CryptoStorm).
Critical to this process is how easily these tokens can be traced back to you as an individual. CryptoStorm claims to keep no records of token sales, although it cannot of course speak for third party sellers. It sees these tokens being used much like Bitcoins, traded, resold, anonymised etc. according to market forces. Much as with Bitcoins, you get to decide how much effort and risk you are willing to put into ensuring your anonymity.
We think this is an ingenious idea, and because tokens do not identify individuals and are purely ‘one way’ (i.e. they only allow access to the VPN service, not any access to or information about the user)), even if some form of Man-in-the-middle (MitM) attack were to occur, the only thing that would happen is that someone could to use the CryptoStorm VPN service for free. No user accounts would be compromised (as there aren’t any).
As we noted, CryptoStorm explains the idea at great length on its website forum, including answering most questions (also at length) that we can think of, so if you are interested then it’s probably worth popping over for a look.
Pricing and Package Features
Pricing is very simple as there is only one ‘package’ available (at least at the moment, remembering that the service is still in beta stage). CA$8.00 (US$.7.60) per month givers you a straight, bare bones OpenVPN service, albeit one that uses the token based authentication. There are discounts available for bulk purchases, and fees are slightly lower (CA$7.00 / US$6.70) if you pay using Bitcoin (which is encouraged).
Customers of the old CryptoCloud network will have any fees they have paid honored, and given a one-for-one equivalency on CryptoStorm services.
When it comes to servers, CryptoStorm claims to ‘run physical machines in Quebec and Iceland, with exit nodes coming online in the UK, Switzerland, Ukraine, Panama, US, and Czech Republic shortly,’ but as you will see below, we could only connect to the server in Montreal for now.
CryptoStorm is happy for you to use BitTorrent for P2P downloading.
Website and customer service
The website is, to be honest a little ugly and non-user friendly, an impression only enhanced by the techno-jargon heavy language used throughout the site, which is certainly not newbie or non-techy friendly. Consider the blurb greeting new visitors to the CryptoStorm website on its homepage:
Information is presented through forum posts that are often dense and somewhat rambling, but which nevertheless ooze technical competence and enthusiasm if you are willing dive in deeply enough. This is definitely not the way to draw in those with only casual interest in the subject, and even those willing to fully engage may be slightly disconcerted by its distinctive style, which combines wordy loquaciousness with an interest in jargon heavy minutiae. It should also be noted that this rather distinctive style is more than a little reminiscent of the writing style of Douglas Spink.
Of course, the service is in beta at the moment, so it may become more consumer-friendly in the future. It should be noted however that a major complaint our reviewer had about CryptoCloud concerned exactly the same issues.
Customer service is via the forums or Twitter, forum or email.
Privacy and security
If Mr Spink is indeed involved with CryptoStorm, then his quick release from prison following his drug smuggling conviction, combined with the fact that following the bestiality farm case a condition of his release (.pdf) was that any computing hardware and software of his is be monitored by the United States Probation Department, could lead to well-founded suspicion that CryptoStorm might be an FBI honeypot.
‘If a court orders us to close an account, we will do so. If a court orders us to allow them to secretly place surveillance “sniffers” on a specific account, we will fight this order to the highest judicial authority possible. If we lose, we will shut down the business and call it a day. End of story.’
CryptoStorm back this up with a ‘Seppuku Pledge’ where it promises to shut down its service rather than compromise any of its customers. This sounds great; although we are only of course taking its word that it will in fact do this.
It should also be noted that although Canada, where CryptoStorm is based, has until recently had no mandatory data retention laws that applied to VPN’s, this has now changed. The new laws have yet to come into effect, but will have a sharp impact on all Canada based VPN services.
Although using a new authentication system, the underlying technology used by CryptoStorm is OpenVPN, with CBC 256-bit AES encryption, RSA-2048 asymmetric key encryption, and SHA-512 hash authentication, all of which is excellent (ignoring the fact that we would like to see a general move away from NIST approved cyphers). As we noted earlier, when it comes to tech, CryptoStorm appear to know it is doing.
One thing that the website makes big deal about is CryptoStorm’s use of Diffie-Hellman ephemeral sessions (i.e. Perfect Forward Secrecy). This is again great, but it is unclear whether more is being offers than the standard ephemeral key exchanges built into OpenVPN by default.
CryptoStorm states that all of its code is open source, and will be made available for public scrutiny once it is ready which is, again, great.
You can pay for the service using PayPal or Bitcoins. Bitcoins are the preferred choice for both us and CryptoStorm, but the extreme volatility of the crypto-currency at the time of writing this article led us to choose PayPal. In future it should also be possible to buy tokens from third party vendors, but for the time being orders are being manually processed by CryptoStorm. This process should be automated once CryptoStorm are up and running properly, resulting in much quicker processing times, but for now it took around an hour and a half before the token was emailed to us.
The access token was sent in a plain text email, but as we discussed earlier, since it is ‘one way only’, this is unlikely to threaten our anonymity. The email did also state that CryptoStorm will be happy to replace the token with new one sent by PGP’ed email or other secure method if we prefered.
The Windows Client (beta)
The windows client could not be easier to install and run – just download the zip file, unzip and run it, enter the token code, click ‘Connect’, and you’re done.
There is no option to choose which server to connect to, but the client did connect without any issues. When we checked on WhatIsMyIPAddress.com we found that we were connected to a server in Montreal (Canada).
We also tried connecting using the regular open source OpenVPN client. The instructions provided were complex and confusing, and it took a frustrating while to work out where the OpenVPN config files where hidden. However, once found we found them then everything worked fine, although we were again only given the option of connecting to a server in Montreal.
Forum guides, which tend towards the highly technical and more than a little confusing, but which should all work, are available for Windows, OSX (Viscocity and Tunnelblick), Android, Linux (general) Ubuntu, openSUSE, and DD-WRT routers.
We put the various connections to the test using speedtest.net, on our 20 meg UK broadband.
As you can see, speeds were not great, particularly when using the custom software. However this is not perhaps too surprising as both the service and the software are still in beta.
- Token based authentication is a fantastic and arguably revolutionary idea
- Payment can be further anonymised using Bitcoins and third party vendors (when this is made available)
- Top notch encryption used
- Token based payment went through quickly and worked well
We weren’t so sure about
- Performance is so-so to poor (but in fairness the system is still in beta phase)
- ‘Seppuku Pledge’ sounds great, but we still have to take their word for it
- Website and distinctive language used on website can be quite beguiling and impresses on technical level, but can be opaque and confusing to even an experienced technical writer
- At present we could only connect to the server in Canada, although this will probably change
- May be associated with a dodgy and morally repugnant character
- If so, then it is possible the service is a front for the authorities (i.e. a honeypot)
If we ignore the possible Douglas Spink connection, then CryptoStorm brings something new and exciting to the table in the form of its token based authentication and payment system, which could pave the way across the industry for a much more anonymous of paying for VPN (always remembering of course that a VPN provider can always see your original IP address unless you take robust measures to prevent it).
The service is still in beta, so for now we will forgive its rough edges and limitations, although by the time it goes mainstream we would hope to see all the advertised servers being available, improved performance (especially when using the custom software), and much more user-friendly documentation.
If you factor in Mr Spink’s possible involvement however… well, we’ll leave that one to you…