ExpressVPN Employees Complain About Ex-Spy's Top Role At Company (reuters.com) 28
An anonymous reader quotes a report from Reuters: When a senior executive at virtual private network company ExpressVPN admitted to working on behalf of a foreign intelligence service to hack American machines last week, it stunned employees at his new company, according to interviews and electronic records. What ExpressVPN said after the U.S. Justice Department's deferred prosecution agreement disturbed some employees further. The company had known about Dan Gericke's history as a mercenary hacker for the United Arab Emirates. The VPN provider said it had no problem with the former intelligence operative protecting the privacy of its customers. In fact, the company had repeatedly given Gericke more responsibility at ExpressVPN even as the FBI investigation of his conduct pressed toward its conclusion.
Gericke was named chief technology officer in August, according to an internal email at the time, and remains in the post. Shortly after the court filings showed Gericke and two other former U.S. intelligence operators agreeing to pay a fine and give up any future classified work, he emailed his colleagues at ExpressVPN. "I can imagine that this kind of news is surprising or even uncomfortable," Gericke wrote in the message obtained by Reuters, then assured them that he had used his skills to protect consumers from threats to their security and privacy.
When senior company executives during a regular online question-and-answer session last Friday with employees accepted queries about Gericke's deal and then discussed the sale announced days earlier of the company to British-Israeli digital security software provider Kape Technologies PLC, the workforce vented its anger. One employee wrote anonymously on an internal chat board: "This episode has eroded consumer's trust in our brand, regardless of the facts. How do we intend to rebuild our reputation?" Asked about the controversy, ExpressVPN said in a statement that the exchange was part of a regular monthly session between management and employees. "As a company, we value openness, dialogue and transparency -which includes robust debate and incisive questioning," the company said. It said it had not known of the federal investigation or the details of Gericke's work in UAE, and it said that country's surveillance campaign was "completely antithetical to our mission."
At ExpressVPN's session with leaders Friday, the second-most supported question also concerned him. "As an individual I have a problem accepting that Dan was hired despite disclosing past actions. These actions are not small thing we can easily forget or accept. Don't they go against all the things XV stands for?" that person asked. To Reuters, the company responded: "It's only through clear commitment and contributions to our mission that Daniel has been able to earn senior leadership roles within the company and the full confidence of our co-founders."
Gericke was named chief technology officer in August, according to an internal email at the time, and remains in the post. Shortly after the court filings showed Gericke and two other former U.S. intelligence operators agreeing to pay a fine and give up any future classified work, he emailed his colleagues at ExpressVPN. "I can imagine that this kind of news is surprising or even uncomfortable," Gericke wrote in the message obtained by Reuters, then assured them that he had used his skills to protect consumers from threats to their security and privacy.
When senior company executives during a regular online question-and-answer session last Friday with employees accepted queries about Gericke's deal and then discussed the sale announced days earlier of the company to British-Israeli digital security software provider Kape Technologies PLC, the workforce vented its anger. One employee wrote anonymously on an internal chat board: "This episode has eroded consumer's trust in our brand, regardless of the facts. How do we intend to rebuild our reputation?" Asked about the controversy, ExpressVPN said in a statement that the exchange was part of a regular monthly session between management and employees. "As a company, we value openness, dialogue and transparency -which includes robust debate and incisive questioning," the company said. It said it had not known of the federal investigation or the details of Gericke's work in UAE, and it said that country's surveillance campaign was "completely antithetical to our mission."
At ExpressVPN's session with leaders Friday, the second-most supported question also concerned him. "As an individual I have a problem accepting that Dan was hired despite disclosing past actions. These actions are not small thing we can easily forget or accept. Don't they go against all the things XV stands for?" that person asked. To Reuters, the company responded: "It's only through clear commitment and contributions to our mission that Daniel has been able to earn senior leadership roles within the company and the full confidence of our co-founders."
Well, I'll uh be cancelling my ExpressVPN as of... (Score:4, Funny)
Re: (Score:3)
This kind of company... (Score:3)
Re: Well, I'll uh be cancelling my ExpressVPN as o (Score:1)
What is the good replacement?
Re: (Score:1)
iVPN (ivpn.net) is worth looking at. I've been very happy with them.
Re: (Score:2)
Dropped them... (Score:2)
The rush to VPNs for all was kind of strange (Score:4, Insightful)
I get it, you don't want to trust your ISP. But why would you trust some random company on the Internet to do better? Most security issues are at the endpoints (you or the server) anyway.
At least your ISP has some physical plant in your area (usually including physical connections to your home, unless they're a WISP, but still even then there'll be a tower nearby), so you know they really exist; they're registered in some form or fashion with your local government, so hopefully if something goes wrong, there's at least someone to try to hold accountable (yeah, "try", but still better than nothing).
Sending all your traffic to a company you can't actually know anything about is in no way safer. Just because they promise "we're secure, we don't snoop your traffic" doesn't mean either of those promises are true. And if something does go wrong, there's no guarantee that anybody related to the company is even in your local/state/federal jurisdiction.
Re: (Score:3)
The original reason wasn't security. It was ability to watch content from other countries. e.g. UK. Security came latter. In the first case VPN logging wasn't an issue.
Probably worse, actually (Score:2)
Your regular neighborhood ISP is in the business of delivering YouTube cat videos and Netflix. 0.000x% of the traffic is interesting. It's a needle in a haystack to anyone looking for juicy stuff.
On the other hand, people often buy and use a "VPN service" (really just a distant ISP) precisely *because* they plan to use it for something juicy. VPN traffic is more like a stack of needles contaminated with hay.
If YOU were looking for needles, would YOU look in the haystack (Comcast) or in the needle stack (Sec
Re: (Score:2)
NSA already has their claws in pretty much everything, and signals intelligence is purview of NSA, not CIA or FBI.
CIA Office of Sigint Operations (OSO) (Score:3)
The FBI is *police* for federal *crimes* committed within the United States. The CIA gathers information about activities outside of the United States, mostly non-criminal activity. The distinction is one of mission, not of tactics. Police and CIA both tap phones - they do so for very different reasons. Then I read people's communications for yet a different reason. All three using the same techniques; the difference is why we're doing it.
The NSA would like to convince Congress and the president that they s
Re: (Score:2)
PS - the first, longest-running, and best signals intelligence agency in the United States is ONI. :)
Re: (Score:2)
The irony of that meaning "demon" in Japanese is not lost on me.
Re: (Score:2)
Informative. I knew most of this, but not all. I'll go read, specially the second link is right up my alley of how to spend a good evening. Thank you.
In light of above, would you still agree that clear majority of SIGINT in US today is done by NSA, even if CIA and FBI have their own niches carved out for reasons you outlined above? Or would that be an incorrect statement in your view?
Re: (Score:2)
Glad to hear it's interesting to you.
As to your question, understand I'm not going to state any facts other than those I know to be officially declassified, or very widely known from things like the Snowden links.
As opinion commentary I'll say NSA has been in the news and it's more in the public awareness. Much like MI-6 is much more well known than MI-5 - because of the James Bond movies. Sections went from MI-1 (encryption breaking team) to MI-19 (prisoner interrogation); most people have only heard of MI
PS - that's the government half (Score:2)
Speaking of different pies, there are also a number of private companies that analyze a significant portion of the internet connections in the United States, for security purposes and for other commercial purposes.
Companies like Crowdstrike are watching the activities of groups like Fancy Bear, as well as gathering intelligence on threat trends in general. Units within Amazon AWS, Google, Comcast, Cloudflare, Akami, Microsoft etc are doing the same.
So at a rough approximation one might say:
A portion of the
Re: (Score:2)
I think you nailed the problem I had in comprehension on the head. I read this:
>Your regular neighborhood ISP
And as a foreigner immediately assumed the primary SIGINT role as would be related to someone who's not of particular interest to US foreign intelligence is going to be in the NSA's jurisdiction. CIA is the more goal-oriented organisation as far as I understand it (i.e. get any data related to the state of the Iran's nuclear program), where's NSA is the opportunistic one (vacuum everything and the
Re: (Score:2)
>useful for watching foreign content
In practice I have ended up using the VPN more in order to get my traffic back inside my home country so normal services (bank, broker, etc) don't throw a tizzy while I'm traveling.
Re: (Score:3)
If it turns out your VPN provider / your ISP rats out people to the MAFIAA or MITMs your cloud connection, do you drop them? You would have no problem finding another VPN provider, but you would probably stick with your ISP nevertheless, because most people can choose between at most two ISPs and usually one of those isn't really an option. That's why ISPs get away with all sorts of shenanigans. ISPs have been proven to throttle traffic, tamper with web pages, and tag traffic to make their customers identif
A Criminal Lawyer (Score:2)
Re: (Score:2)
prove ALL traffic uses VPN? (Score:2)
We already know that some products (from Apple, AFAIR) bypass VPNs and use the underlying network connection. How easy is it to verify that ALL of your network traffic goes through the VPN? I have switches that do port mirroring, so my SOHO network can be checked for bypass on the wired and WiFi connections, but I would need a much more expensive (and, perhaps, illegal for private use) stingray or the like to check for wireless data bypassing the VPN.
It's funny (odd) that some businesses won't allow remot
Re: (Score:2)