I think it's prudent to assume (even if not accurate in every case) that any VPN provider that reaches PIA scale has already been compromised by the relevant State Actor working its jurisdiction.
It's the tragedy of success in the privacy industry.
Except for the fact that PIA has been subpoenaed by the FBI and state police multiple times and PIA could give them dick all. Yes, their servers could be compromised illicitly, but if the NSA or GCHQ is willing to go to that much trouble just to monitor you, you have bigger problems.
>[...] but if the NSA or GCHQ is willing to go to that much trouble just to monitor you, you have bigger problems.
This type of argument contains the assumption that it would be too much trouble for them/not worth it to monitor an affluent anarchist or semi- anti-authortitarian with an above-average IQ.
We've seen that A) their resources are as virtually unlimited as their paranoia B) tech developments have driven down the cost of sophisticated surveilance strategies C) xkeyscore and all of the other releases is confirmation.
This type of argument does us all a disservice by subtly shaming those who care about state-surveilance of private (and peaceful) citizens who value their privacy and/or who exercise their right to actively participate in progressive movements that challenge the establishment.
It also embeds an assumption that someone is targeting you instead of people like you. Compromising the servers of a VPN provider makes plenty of sense in the service of full-take or person-of-interest collection.
We've already seen that the NSA actively targets people searching for privacy tools (e.g. Tails, Tor). The act of using a VPN is mildly interest-provoking, so it's far from crazy to suspect that someone might try to scrape everything happening there in case some of it is interesting.
PIA might actually log everything and send to the FBI as a regular part of their operation, hell, they might even be funded by the FBI and you would never know.
You should not trust what people tell you over the internet.
If they have your data but won't give it to the authorities, the result is the same, isn't it? Unless you're suggesting the authorities aren't fooled, and will pry it out of them? That hasn't been the case so far.
They're asking how do you know they didn't hand the data over but just publicly say they didn't? Or that they agreed to give it to the FBI if the FBI would treat it as a confidential source.
I found malware in the PIA installer. Not sure if it was planted by PIA themselves or I was subjected to a MITM attack, and so I would never use any bespoke VPN software again. Best just downloading the OpenVPN config files and plug them into something like Viscosity[0] (which I trust over the more bespoke VPN clients made by the VPN providers themselves).
As a general rule of thumb, I have used various VPN services and made sure to never use their clients. Downloading an OpenVPN configuration file IMO seems the best way to go about it.
Speaking of PIA and not using the provider's client, I've written this simple python script that populates PIA OpenVPN routes for NetworkManager on a bunch of Linux distributions, which then pop right into the system tray or are accessible from nmcli, etc. (https://github.com/dagrha/pypia)
What so you mean "found malware?" You checked the installer and found that some aspect was malicious or some software you are running said it found malware? As the installer seems likely to cause false positives.
You're still better using independent VPN clients, but I would not trust them at all if the installer actually has malware.
I spotted loads of malicious network traffic, and using the Sysinternals Autoruns[0] utility I was able to spot attempts at persistence. I also checked the outbound connections and they were C&C servers. I can't remember if the installer was digitally signed or not, but there was definitely malware in it. I always make sure to opt-out of any AD ware that might be bundled with an installer, but this seems to have been injected surreptitiously, and installed with very little interaction.
Just be careful with the bespoke VPN clients as they are very juicy targets for MITM attacks. I know I would be going after VPN software if I wanted to do ex-filtration for a small subset of users trying to hide their tracks from governments and ISPs.
So an installer was trying to set up autoruns, and the outbound connection IP's were on some list? The first part seems like expected behavior, the second sounds like your list of bad IP's included several that one of the most popular VPN providers use.
This was before the client even connected for the first time. And the IPs were well known C&C servers used for collecting keystrokes and screenshots of your O.S
Checking if their various servers exist on install seems likely. And well known C&C servers probably hide their actual IP, they'd be fairly easy to shut down if they didn't.
It's the tragedy of success in the privacy industry.