Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

ExpressVPN Employees Complain About Ex-Spy's Top Role At Company (reuters.com) 28

An anonymous reader quotes a report from Reuters: When a senior executive at virtual private network company ExpressVPN admitted to working on behalf of a foreign intelligence service to hack American machines last week, it stunned employees at his new company, according to interviews and electronic records. What ExpressVPN said after the U.S. Justice Department's deferred prosecution agreement disturbed some employees further. The company had known about Dan Gericke's history as a mercenary hacker for the United Arab Emirates. The VPN provider said it had no problem with the former intelligence operative protecting the privacy of its customers. In fact, the company had repeatedly given Gericke more responsibility at ExpressVPN even as the FBI investigation of his conduct pressed toward its conclusion.

Gericke was named chief technology officer in August, according to an internal email at the time, and remains in the post. Shortly after the court filings showed Gericke and two other former U.S. intelligence operators agreeing to pay a fine and give up any future classified work, he emailed his colleagues at ExpressVPN. "I can imagine that this kind of news is surprising or even uncomfortable," Gericke wrote in the message obtained by Reuters, then assured them that he had used his skills to protect consumers from threats to their security and privacy.

When senior company executives during a regular online question-and-answer session last Friday with employees accepted queries about Gericke's deal and then discussed the sale announced days earlier of the company to British-Israeli digital security software provider Kape Technologies PLC, the workforce vented its anger. One employee wrote anonymously on an internal chat board: "This episode has eroded consumer's trust in our brand, regardless of the facts. How do we intend to rebuild our reputation?" Asked about the controversy, ExpressVPN said in a statement that the exchange was part of a regular monthly session between management and employees. "As a company, we value openness, dialogue and transparency -which includes robust debate and incisive questioning," the company said. It said it had not known of the federal investigation or the details of Gericke's work in UAE, and it said that country's surveillance campaign was "completely antithetical to our mission."

At ExpressVPN's session with leaders Friday, the second-most supported question also concerned him. "As an individual I have a problem accepting that Dan was hired despite disclosing past actions. These actions are not small thing we can easily forget or accept. Don't they go against all the things XV stands for?" that person asked. To Reuters, the company responded: "It's only through clear commitment and contributions to our mission that Daniel has been able to earn senior leadership roles within the company and the full confidence of our co-founders."

This discussion has been archived. No new comments can be posted.

ExpressVPN Employees Complain About Ex-Spy's Top Role At Company

Comments Filter:
  • by Baconsmoke ( 6186954 ) on Friday September 24, 2021 @05:11PM (#61829819)
    right this very second.
  • ExpressVPN was my VPN of choice but I dropped them last year because of issues with their loader.
  • by Burdell ( 228580 ) on Friday September 24, 2021 @06:01PM (#61829937)

    I get it, you don't want to trust your ISP. But why would you trust some random company on the Internet to do better? Most security issues are at the endpoints (you or the server) anyway.

    At least your ISP has some physical plant in your area (usually including physical connections to your home, unless they're a WISP, but still even then there'll be a tower nearby), so you know they really exist; they're registered in some form or fashion with your local government, so hopefully if something goes wrong, there's at least someone to try to hold accountable (yeah, "try", but still better than nothing).

    Sending all your traffic to a company you can't actually know anything about is in no way safer. Just because they promise "we're secure, we don't snoop your traffic" doesn't mean either of those promises are true. And if something does go wrong, there's no guarantee that anybody related to the company is even in your local/state/federal jurisdiction.

    • The original reason wasn't security. It was ability to watch content from other countries. e.g. UK. Security came latter. In the first case VPN logging wasn't an issue.

    • Your regular neighborhood ISP is in the business of delivering YouTube cat videos and Netflix. 0.000x% of the traffic is interesting. It's a needle in a haystack to anyone looking for juicy stuff.

      On the other hand, people often buy and use a "VPN service" (really just a distant ISP) precisely *because* they plan to use it for something juicy. VPN traffic is more like a stack of needles contaminated with hay.

      If YOU were looking for needles, would YOU look in the haystack (Comcast) or in the needle stack (Sec

      • by Luckyo ( 1726890 )

        NSA already has their claws in pretty much everything, and signals intelligence is purview of NSA, not CIA or FBI.

        • The FBI is *police* for federal *crimes* committed within the United States. The CIA gathers information about activities outside of the United States, mostly non-criminal activity. The distinction is one of mission, not of tactics. Police and CIA both tap phones - they do so for very different reasons. Then I read people's communications for yet a different reason. All three using the same techniques; the difference is why we're doing it.

          The NSA would like to convince Congress and the president that they s

          • PS - the first, longest-running, and best signals intelligence agency in the United States is ONI. :)

          • by Luckyo ( 1726890 )

            Informative. I knew most of this, but not all. I'll go read, specially the second link is right up my alley of how to spend a good evening. Thank you.

            In light of above, would you still agree that clear majority of SIGINT in US today is done by NSA, even if CIA and FBI have their own niches carved out for reasons you outlined above? Or would that be an incorrect statement in your view?

            • Glad to hear it's interesting to you.

              As to your question, understand I'm not going to state any facts other than those I know to be officially declassified, or very widely known from things like the Snowden links.

              As opinion commentary I'll say NSA has been in the news and it's more in the public awareness. Much like MI-6 is much more well known than MI-5 - because of the James Bond movies. Sections went from MI-1 (encryption breaking team) to MI-19 (prisoner interrogation); most people have only heard of MI

              • Speaking of different pies, there are also a number of private companies that analyze a significant portion of the internet connections in the United States, for security purposes and for other commercial purposes.

                Companies like Crowdstrike are watching the activities of groups like Fancy Bear, as well as gathering intelligence on threat trends in general. Units within Amazon AWS, Google, Comcast, Cloudflare, Akami, Microsoft etc are doing the same.

                So at a rough approximation one might say:
                A portion of the

              • by Luckyo ( 1726890 )

                I think you nailed the problem I had in comprehension on the head. I read this:

                >Your regular neighborhood ISP

                And as a foreigner immediately assumed the primary SIGINT role as would be related to someone who's not of particular interest to US foreign intelligence is going to be in the NSA's jurisdiction. CIA is the more goal-oriented organisation as far as I understand it (i.e. get any data related to the state of the Iran's nuclear program), where's NSA is the opportunistic one (vacuum everything and the

    • If it turns out your VPN provider / your ISP rats out people to the MAFIAA or MITMs your cloud connection, do you drop them? You would have no problem finding another VPN provider, but you would probably stick with your ISP nevertheless, because most people can choose between at most two ISPs and usually one of those isn't really an option. That's why ISPs get away with all sorts of shenanigans. ISPs have been proven to throttle traffic, tamper with web pages, and tag traffic to make their customers identif

  • Don't go with a flashy, well funded, publicly traded VPN company. Go with one based in some Eastern European country and associated with ransomeware attacks. You know their system will work, you know they won't talk to cops, you'll know they won't keep logs, and it'll be affordable because they need the traffic to mask their activities.
    • Follow the money. Selling at the top? of the market, and getting tax freeish returns pumped into Bermuda or an Irish/Dutch sandwich makes a lot of sense. Will there be an inverted buyback? I can't trust my OS, I can't trust my telco, and the VPN is a light cover. But this deal will cement market cap damages if a VPN gets caught/ fingered for leaking. However the UK has a law to make it illegal to seek full discovery(perjury by prosecution is OK). So UK/AU/NZ is a deal breaker, probably CA too. I think the V
  • We already know that some products (from Apple, AFAIR) bypass VPNs and use the underlying network connection. How easy is it to verify that ALL of your network traffic goes through the VPN? I have switches that do port mirroring, so my SOHO network can be checked for bypass on the wired and WiFi connections, but I would need a much more expensive (and, perhaps, illegal for private use) stingray or the like to check for wireless data bypassing the VPN.

    It's funny (odd) that some businesses won't allow remot

    • How easy ? Just get a Raspberry Pi and put Wireshark on it. Plug it into your switch and set that port to mirror the port connected to the Internet. Scan the Wireshark output and done.

"All the people are so happy now, their heads are caving in. I'm glad they are a snowman with protective rubber skin" -- They Might Be Giants

Working...