[Oeck]

Hi everyone,

We are in need of beta testers for our VPN apps and service. We have a few beta testers, but we are in need of many more.

The VPN provides new features that are unique to Oeck. We also offer high levels of security. Any and all help would be very much appreciated.

The service is completely free for the duration of beta, so please feel free to use the service for as long as you like.

Regards, Peter @ Oeck.

[smt88]

Why should we trust you with our internet traffic logs?

In my opinion, the answer is much more important than any one feature.

[jamesponddotco]

To add to this, three more pieces of feedback:

1. Where is the company incorporated? This is a critical piece of information when choosing a VPN provider, and I cannot find it anywhere on your website. It should be front, and centre.

In Germany the law says you need an "Impressum" page added to your website, with your company information on it. While I do not live in Germany, I made a point of adding that page to every website I put online[1].

2. The website does not work with JS disabled. If you tell me you sell security, or privacy, and your website does not work with JS disabled, I will likely walk away.

3. In general, I tend to trust a company more if they open source their code, and if they run their business in the open. Mullvad[2], and Confirmed VPN[3] come to mind.

I would also recommend that you read, and try to meet the criteria set by the PrivacyTools folks[4], as a lot of your target audience will come from them, and trust their choices.

EDIT: Found the incorporation information in the FAQ after navigating a bit[5]. That is on me, my sincere apologies.

[1] https://i.cpimg.sh/jEtNeUSR4TEd.png

[2] https://mullvad.net/

[3] https://confirmedvpn.com/

[4] https://www.privacytools.io/providers/vpn/#criteria

[5] https://www.oeck.com/faq/privacy_and_security/

[Oeck]

Hi jamesponddotco,

Thank you very much for taking a look! Although you have found information in your edit, I will reply so that other users viewing the thread have an easier time reading it.

1) The company is incorporated in Hong Kong. Although we are Australian, the privacy laws in Australia suck. We wanted to keep our customers safe, so that is what ultimately lead to the decision. You can find this information at https://www.oeck.com/faq/ and more specifically at https://www.oeck.com/faq/privacy_and_security/

2) The website is built on top of Xenforo ( https://xenforo.com ). Our navigation, .ovpn builder, alerts and other features rely on JS in order to function properly.

3) I answered this in the post above, but here is the copy/paste.

Open Source apps - Due to the way our VPN works, we found the best solution for us was to use the libvpn libraries. They can be found at http://libvpn.com/

These libraries, unfortunately, are not open source. However, they are very powerful and the code is of good quality. Due to this, we are unable to make our apps completely open source.

Again, open sourcing the apps, although it looks good, ultimately doesn't mean anything. Any malicious activity can be done in the back-end. The apps source code may show up fine, but the back-end of the service can do whatever the owners want.

That's not to say open sourcing them isn't a good thing, it is just that aside from the fact that we can't do so, ultimately it means little if the service provider wanted to screw its customers.

Thank you for the Impressum idea. We will add that soon. It is a good idea and easily implemented.

Regards, Peter @ Oeck.

[jamesponddotco]

> Our navigation, .ovpn builder, alerts and other features rely on JS in order to function properly.

At the end of the day, that does not matter for the customer. If they have JS disabled, and you force them to enable it, you lost a customer.

As customers, we are expected to have JS enabled for signing up, and logging in, but a marketing website should not require it.

> Again, open sourcing the apps, although it looks good, ultimately doesn't mean anything. Any malicious activity can be done in the back-end.

Sure, I agree with that.

However, notice that I said "if they open source their code, and if they run their business in the open". There is a lot that you can open source, but more importantly, you can operate your business in an open, and transparent way.

Take Confirmed VPN[1] as an example. They allow you to request a read-only account to audit their infraestructure, and AWS account, to make sure they do what they say they do.

Or SourceHut[2], which make most of their business decisions in the open, for anyone to see.

Opening your code is not the only way to have an open business.

[1] https://openlyoperated.org/report/confirmedvpn

[2] https://sr.ht/~sircmpwn/sourcehut/

[Oeck]

Hi jamesponddotco,

Thanks for taking the time with this.

Unfortunately there is not much we can do about the JS. We can put up static pages for marketing, but ultimately the website is there for the user to control various things to do with their account. It also allows guests to perform various tasks.

As far as your other point about the business itself being open, we are trying to run it in that exact manner. Regarding the audit, I replied to another user ( https://news.ycombinator.com/item?id=23666681 ). However, if you have an idea on how we can run the business more open, I am happy to take it on board. We keep users in the loop, took time with our terms of service and privacy policy, as well as provided a bunch of information in the FAQ.

Regards, Peter @ Oeck.

[Oeck]

Hi smt88,

Thank you so much for checking it out.

This is a problem. As far as I know there are only two ways to gain trust with an audience when your company is a start up. So I am going to be completely transparent with the answer and hopefully you will see our point of view.

1) Third party security audit - This is one way of a startup gaining trust. Having a third-party audit the VPN and the VPN showing the results. We actually went to see how much something like this would cost and it was in excess of $20,000. We unfortunately do not have this sort of money to put up. In addition to that, most VPN providers who have done so were already established and had a steady stream of income.

The issue I have with this is at the end of the day it is a $20,000+ sticker you can have. Should the VPN provider wish to do so, they can easily change their system after the audit is complete and do what they like anyway. So, I agree it adds to trust, but at the end of the day it can be reversed in the background. Having said that, when we can afford to do so, we will most likely get it done to follow protocol.

2) Open Source apps - Due to the way our VPN works, we found the best solution for us was to use the libvpn libraries. They can be found at http://libvpn.com/

These libraries, unfortunately, are not open source. However, they are very powerful and the code is of good quality. Due to this, we are unable to make our apps completely open source.

Again, open sourcing the apps, although it looks good, ultimately doesn't mean anything. Any malicious activity can be done in the back-end. The apps source code may show up fine, but the back-end of the service can do whatever the owners want.

That's not to say open sourcing them isn't a good thing, it is just that aside from the fact that we can't do so, ultimately it means little if the service provider wanted to screw its customers.

I would love to hear feedback on other ways we could gain trust. In our FAQ we explain about our system and our privacy policy explains what we do not log, what we monitor etc. We also have an EV SSL certificate on the website to help build this trust.

Regards, Peter @ Oeck.