[HN Gopher] Infrastructure audit completed by Radically Open Sec...
___________________________________________________________________
Infrastructure audit completed by Radically Open Security
Author : coldblues
Score : 513 points
Date : 2023-08-09 10:18 UTC (12 hours ago)
(HTM) web link (mullvad.net)
(TXT) w3m dump (mullvad.net)
| smartbit wrote:
| As ivpn's gateway in Brussels is more often than not 100% [0]
| during the evenings, I'm looking for an alternative. This wasn't
| the case until some 6-12 month. Anyone experience with mullvad's
| [1] throughput in Belgium?
|
| [0] https://www.ivpn.net/status/
|
| [1] https://mullvad.net/en/servers
| f_m wrote:
| I'm a little hesitant to say the following, since I don't
| collect metrics, and thus it's maybe a bit unfair on Mullvad,
| but: sometimes the Belgian Mullvad locations can be a bit slow.
| I've had that feeling from time to time, and on a few occasions
| when switching to their Netherlands locations I get better
| speed. Right now for instance I get close to full theoretical
| speed as promised by my ISP while going through Mullvad
| Netherlands, and only a quarter of that speed through the
| Belgian locations.
| burnaway wrote:
| This is Viktor from IVPN. We have recently added more capacity
| to our Belgium server. I'm looking at our internal graphs and
| it has not been hitting 100% in the past couple of days. We are
| monitoring it closely and ready to add more bandwidth if
| necessary.
| dontupvoteme wrote:
| Given that it's in the West I still think it's probably NSA
| compromised, but I'm not nearly important enough for the
| government to blow their cover about.
| p-e-w wrote:
| That's tinfoil hat nonsense. The NSA aren't gods, wizards, or
| aliens. They don't have the best people (those are mostly at
| FAANG), and their total budget is a fraction of Big Tech's.
|
| If you ever find yourself assuming that the NSA/CIA/etc. have
| magical knowledge that's decades ahead of everyone else, or
| have "assets" in every village on Earth, you know you've been
| watching too much TV.
| dboreham wrote:
| > That's tinfoil hat nonsense.
|
| Understand that direct contradiction is not terribly helpful,
| but this seems important so: no it isn't. (supported by years
| of public evidence, and also some personal experiences that I
| can't go into due to <reasons>).
| dontupvoteme wrote:
| It's not about the NSA so much in my view, it's about the
| west simply most likely going completely along with America
| as long as it doesn't involve going to war (e.g. Iraq) which
| could cost them an election. And a number of European
| countries are clamoring for draconian surveillance
| themselves.
|
| And the Best People aren't at FAANG. They are at hedge firms.
| pessimizer wrote:
| > the NSA/CIA/etc. have magical knowledge that's decades
| ahead of everyone else
|
| Exactly what the hell kind of magical knowledge does it take
| to compromise a VPN? They could own the thing completely.
|
| If you ever find yourself thinking that massive intelligence
| agencies with budgets in the tens or hundreds of billions of
| dollars aren't doing anything and have no function, you've
| been watching too much TV news. If you think that governments
| require the _magical knowledge of gods, wizards and aliens_
| to compromise a VPN service, you 've completely retreated
| into fantasy.
| robertlagrant wrote:
| > their total budget is a fraction of Big Tech's
|
| The NSA was getting $10.5bn to spend in 2013[0]. I can only
| imagine it's gone up since then year on year. That's not a
| bad fraction when your whole goal is signals intelligence.
|
| [0] https://www.washingtonpost.com/world/national-
| security/black...
| p-e-w wrote:
| Volkswagen's research budget was $21 billion in 2022.
| $10.5bn is _nothing_ in the big picture, and certainly not
| enough to "control the world" or whatever grand claims are
| commonly made about the NSA.
| robertlagrant wrote:
| No one said control the world. Just that a VPN provider
| is probably compromised by the NSA.
| pessimizer wrote:
| Do you think Volkswagen could compromise or secretly own
| a VPN service?
|
| You're the one making grand claims about the NSA
| controlling the world. It's a lot easier to argue with
| claims you made up.
| DANmode wrote:
| ...and that amounts to a _lot_ of drivespace.
|
| (Based on the available data, not spending their budget on
| FT talent; they apparently get that with their logo.)
| trefoiled wrote:
| Are you familiar with PRISM or the information Edward Snowden
| disclosed? The NSA doesn't need "magical" knowledge from the
| future, they have back doors and exploits in hardware, data
| collection methods directly arranged with ISPs and FAANGs,
| and free legal reign. The "best people" at FAANGs readily
| cooperated with the NSA and FBI, doing everything they could
| to assist them. If you've never looked into PRISM, I highly
| recommend going down the rabbit hole.
|
| https://en.wikipedia.org/wiki/PRISM?wprov=sfti1
| noirscape wrote:
| Perhaps for some indication on how much "they're not gods"
| is, its worth looking at the things the CIA did to try and
| assassinate Castro (as well as any of the shenanigans they
| did during the cold war, including trying to train cats with
| spy sensors in them to wander into a Soviet embassy - that
| one failed because it took too long to train and their one
| successful cat was driven over by a taxi when set loose on
| the street across the embassy).[0]
|
| Its less "super top secret spy agency hires a hitman to take
| out Castro" and more "we're just going to throw whatever we
| can at the wall and see what works". Plans included literally
| mailing him exploding cigars (on the assumption that Castro
| liked smoking so mailing him one _might_ just work), hiring
| his ex to try and kill him on a plane ride (which just
| resulted in the ex rebounding with Castro) and some campaigns
| to try and make him look weak that can only be described as
| "hilarious" like flying a plane over the country and dropping
| leaflets with a bounty of 0.02$ on his head with the idea
| that he was so weak that the bounty wasn't worth anything
| (although this one was rejected, they also attempted to make
| him look foolish by lacing a radio broadcast room with
| LSD).[1]
|
| To pull a quote from Alan Moore: "If you are on a list
| targeted by the CIA, you really have nothing to worry about.
| If however, you have a name similar to somebody on a list
| targeted by the CIA, then you are dead."
|
| [0]: https://en.m.wikipedia.org/wiki/Acoustic_Kitty
|
| [1]: https://en.m.wikipedia.org/wiki/CIA_assassination_attemp
| ts_o...
| yieldcrv wrote:
| You're still trusting that
|
| Mullvad never changes
|
| Mullvad never is compelled to change by coercion
|
| The data center Mullvad uses - a separate company - never
| compromises them out of curiosity, preference, coercion
|
| That governments skip the private sector coercion entirely and
| just add their own devices and logging in the middle, which came
| out of the Snowden leaks as normal 10 years ago.
|
| All VPNs have this limitation. They're just internet resellers
| that amusingly try to differentiate an audience based on privacy.
| puppymaster wrote:
| Hence the archive records of their yearly audit dating back to
| their founding year.
| bayindirh wrote:
| You can't trust anything you have not built, incl. your laptop,
| keyboard, mouse, phone, car, even your teabag (what happens if
| they're randomly drugging your tea to test some pathogens, with
| a request from your government).
|
| Even if you have built that thing, you can't trust any semi-
| capable chip to not log, change, or exfiltrate data in any way
| possible.
|
| So, the hole has no bottom.
| pessimizer wrote:
| You're right. We're actually wasting our time ever thinking
| about our security or privacy, or taking any measures to
| protect it. You've convinced me that _some_ security is an
| illusion, and that the real answer is trust.
| worble wrote:
| To achieve true privacy, first you must create the universe.
| bayindirh wrote:
| Let me get my big-bang kit, manufactured by _looks to the
| underside_...
|
| I don't know whether I can trust the company which made it.
| quectophoton wrote:
| For the people who don't have a kit yet, they can always
| take the cloud approach and use Google Online Development
| simulator (G.O.D. simulator) and follow their tutorial
| for Hello Universe[1].
|
| [1]: https://youtu.be/tmGMd2bqh6o
| DANmode wrote:
| Given enough time in your own head, this is doable.
| digitalsin wrote:
| Looking for Universe SDK in case you have a link
| Tijdreiziger wrote:
| https://zombo.com/
| vasco wrote:
| The universe you create is inside the universe you inhabit
| in, which has no privacy, so the universe you create also
| has no privacy.
| bayindirh wrote:
| No, you create a parallel one. It executes sandbox escape
| after a couple femtoseconds.
| yieldcrv wrote:
| if you want privacy on the internet you have options. VPNs
| give you privacy from your local network and ISP and a little
| bit from the destination service, and that's it.
|
| there are options to have privacy from additional kinds of
| parties. i2p, tor. whonix distribution of linux, tails...
| red-iron-pine wrote:
| > there are options to have privacy from additional kinds
| of parties.
|
| like ones you pay to use their VPN servers...?
| bayindirh wrote:
| What if your VPN is the _true adversary_ here?
|
| Edit: Also, questioning trustworthiness of VPNs and them
| putting them forward as a solution is... a bit unorthodox.
| pessimizer wrote:
| This thread is reacting to someone pointing out the
| weaknesses in VPNs. It's the people who were triggered by
| that to defend VPN usage against the pointing out of this
| reality, and to imply everyone aware of the drawbacks are
| paranoiacs; it's those people who have committed
| themselves in advance to a solution.
| digging wrote:
| > What if your VPN is the true adversary here?
|
| They're not. Spectrum is my true adversary. My VPN may
| also be an adversary but that's a possibility, whereas
| Spectrum is a certainty.
| stjohnswarts wrote:
| Always critics but never providing a viable alternative. So
| please tell us your model, yank the cable out of the wall and
| pitch your phone in the lake? I'm mostly concerned about
| advertisers, corps, and my ISP. I know that in my country (the
| USA) that if they want something out of me they'll take me to a
| back room and beat it out of me, so generally I don't do
| illegal stuff.
| yieldcrv wrote:
| i2p, tor. whonix distribution of linux, tails...
| Knee_Pain wrote:
| VPNs are for escaping private adtech firms, not governments. I
| don't know where you got this impression from.
| yieldcrv wrote:
| perhaps the annual audits, a bit of theatre if its just for
| escaping private adtech firms
|
| this attracts people that want a subpoena to yield nothing
| Jolter wrote:
| Which data center company do they use?
| bravura wrote:
| Bro, you're too simple.
|
| Are you even printing your own chip wafers?
|
| Do you ever key your passwords outside places where you have
| total physical control?
|
| On that note, do you let your love person stay over for the
| night (have physical access to your flat)?
|
| Your incompetent and flabby security posture makes me want to
| puke. At the very least, admit that your security posture is
| ,,typical educated HN reader" and you're not serious, so the
| rest of us can continue on our business without your mind
| numbing puerile distractions.
|
| [okay that rant was really just a ,,holier than thou" parody
| about how if you're going to maintain a security posture that's
| more tense than 90% of your peers, at least acknowledge what
| threat model you espouse and acknowledge that others may have a
| different one. If you had been like: ,,is this your threat
| model? Then why don't you care about this...", you would have
| my upvote not my snark. Even if that weren't my threat model I
| would have found that exposition commendable.]
| pessimizer wrote:
| Yes, realizing that you can't trust the ownership of a
| company to stay consistent for eternity is basically like
| thinking your mate is working for the government to steal
| your passwords.
|
| What investment do you have in people trusting VPN providers
| that would cause you to make an argument like that? I bet
| none, it's just a bad instinct.
| yieldcrv wrote:
| i2p, tor. whonix distribution of linux, tails... but ok
|
| I didnt expect the sarcastic tone of responses but I also
| dont understand why people act like sports team fans of VPN
| providers. there are other solution, easily accessible, that
| do more than VPNs can do, depending on your threat model
|
| a VPN user that supposedly just wants to avoid adtech
| tracking doesnt need annual audits about how little data one
| VPN stores over the other
| blfr wrote:
| At least for the DC compromise, you can multihop through
| servers from different providers.
| wing-_-nuts wrote:
| I'm not worried about my government as it currently stands. I'm
| squicked out by the fact that every single private company I
| interact with seems to be falling over themselves to collect as
| much data about me as possible, and resell it to anyone who
| will pay. There are no protections against this in the US.
|
| I _am_ worried, at least a little bit, about an authoritarian
| government coming to power and basically weaponizing past data
| collected against it 's citizens. I've seen the inferences
| facebook and google can make with privately collected data. I
| don't think it's too outlandish that governments would be able
| to quickly and easily create detailed dossiers on everyone that
| protested against x or voted for opposition candidate y.
| pessimizer wrote:
| The Nazis used the census to find Jews. A huge amount of
| people had no idea that they had matrilineal Jewish descent
| until the Nazis and IBM told them.
|
| https://en.wikipedia.org/wiki/IBM_and_the_Holocaust
| r3trohack3r wrote:
| > That governments skip the private sector coercion entirely
| and just add their own devices and logging in the middle, which
| came out of the Snowden leaks as normal 10 years ago.
|
| In the U.S, VPNs are not effective against targeted
| surveillance. But they very well may be effective against
| government passive surveillance programs like the President's
| Surveillance Program.
|
| The Snowden leaks revealed many things. What stood out most to
| me about them was that the government _tried_ to stay within
| the confines of the law. It was a very twisted, contortionist,
| interpretation of the law, but they did try very hard to stay
| within the bounds of the legal theory that allowed the program
| to exist.
|
| Based on the leaks, if you'd have been running HTTPS over a VPN
| during the PSP, it's likely a good portion of your traffic
| would have evaded the program.
|
| https://everytwoyears.org/2020/07/13/tactical-privacy.html
| Cort3z wrote:
| I came across mullvad some time ago (apparently they struck a
| deal with Mozilla). Anyway, their service is great and it is such
| a rare thing to just pay for a service without all the nonsense
| around. Just; click here to get an account. Nothing else. Then
| just freaking press pay, in any of a huge array of methods,
| including cash in the mail!
| Tenoke wrote:
| I have PIA paid until December but I'm getting so many captchas
| with them that I've been seriously considering paying for
| Mullvad, too. Glad to see people are still happy with them so I
| can go ahead.
| stjohnswarts wrote:
| You'll get captchas with any VPN provider these days.
| Cloudflare is taking over my friend.
| ibejoeb wrote:
| I don't want to discourage you from using Mullvad, but there
| are lots of captcha and cloudflare problems there, too. I
| consider it a cost of doing business.
| digging wrote:
| There are other reasons to stop using PIA, for example they got
| purchased in 2019 by Kape Technologies which is quite shady.
| [deleted]
| no_time wrote:
| As an occasional mullvad customer im glad to hear.
|
| That being said, I wonder why we arent hearing about any cases
| involving them and cybercrime. Letter soup agency smear campaigns
| or actual cybercrime.
|
| They operate totally in the clear as opposed to Tor and other
| overlay networks, but unlike with Tor, there are no "opinion
| articles" or biased news articles slamming them as pedophile
| enablers.
|
| I just find this odd. /Paranoid schizo mode off
| pydry wrote:
| There was one recently involving Swedish police, I think.
|
| I expect VPN usage is easy enough to unmask by state level
| actors with timing attacks.
| user764743 wrote:
| If the VPN is hosted in America or Europe it's without a doubt
| logging, otherwise they would not be able to operate legally.
| Full Spectrum Awareness logically means VPNs should be a prime
| targets for the surveillance state that we're in.
| Karunamon wrote:
| What law would require an American VPN host to log the
| activities of their subscribers? CALEA only applies to
| telecoms and ISPs (legal common carriers), a VPN provider is
| neither.
| stonepresto wrote:
| Up front, I believe Mullvad is the best commercial VPN solution
| and is doing a great job at making good privacy more accessible.
|
| However, a lot of the comments here seem to be hailing VPNs in
| general as the solution to privacy on the internet.
|
| I would like to remind people that VPNs only really protect you
| against two things: your ISP and the endpoint. And that's
| assuming that your ISP isn't doing some shady analytics.
|
| That being said, knocking those two things off the board is a
| huge benefit to privacy and absolutely should be done.
| morjom wrote:
| >..a lot of the comments here seem to be hailing VPNs in
| general as the solution to privacy on the internet.
|
| ..where?
| wwfredrogersdo wrote:
| > that's assuming that your ISP isn't doing some shady
| analytics
|
| Can you elaborate on this? So ISPs often engage in tactics that
| thwart VPN usage? Which ISPs? What tactics?
| axus wrote:
| https://en.wikipedia.org/wiki/Room_641A
| rvnx wrote:
| Why would they even do so ? Large ISPs are public, so this
| activity would appear as extra revenue (if they sell traffic
| data) in their financial reports and annual reports.
|
| The most likely is that ISPs are just respecting the local
| laws, and doing the minimum retention as required by the law
| (because more data storage = more costs),
|
| and that their actual fear is that someone leaks this data
| and causes reputation damage, so they'd avoid storing
| anything if they can.
| mattlutze wrote:
| ISPs are also in the business of analytics [1, 2], and a
| significant percentage of customers hiding their traffic
| reduces the value of their analytic products.
|
| 1: https://www.bleepingcomputer.com/news/security/ftc-isps-
| coll... 2: https://surfshark.com/blog/isp-selling-data
| drpossum wrote:
| This view is extremely western, not all ISPs are obligated
| to show "financial reports", and "shady analytics" does not
| imply a user's complete network traffic record into
| perpetuity. And even if your arguments were valid, this is
| not limited to the ISPs financial gain, but surveillance
| which occurs in every country.
| mike_d wrote:
| > Why would they even do so ? Large ISPs are public
|
| Ehh, not really. China Telecom for example is 70% owned by
| the State. You aren't going to be able to buy shares in
| Parsnet.
| bippihippi1 wrote:
| for security, all dangerous malware runs on encrypted
| traffic
| trevyn wrote:
| It is my understanding that many ISPs and backbone providers
| sell or otherwise disclose full detailed packet metadata,
| including precision timestamps, and that there are companies
| that aggregate this data across the entire Internet.
|
| At which point your VPN becomes just another hop in the
| trace.
|
| VPNs, no matter how secure they themselves are, are effective
| for accessing lightly geo-locked content and defeating
| unsophisticated analytics and tracking. They are really not a
| serious privacy solution in any sense, unfortunately.
| robertlagrant wrote:
| I don't understand this area well enough, I think. Doesn't
| a VPN encrypt the routing information that tells the packet
| where to ultimately end up? I.e. my ISP can see the traffic
| going to the VPN, but can't look inside it, and can't see
| where it goes from there?
| trevyn wrote:
| Correct, but the destination ISP chain (and of course the
| destination service itself) can equally see the traffic
| coming from the VPN, and if you have packet metadata
| (precise timing and packet sizes) from two sources on
| either side of the VPN, it is trivial to correlate those
| two streams.
| shrimp_emoji wrote:
| Note that Mullvad's WireGuard settings offer a "multihop"
| feature, meaning the VPN destination your ISP sees and
| the VPN endpoint the end service sees differ.
| wintermutestwin wrote:
| I'm not sure how that protects you though. ISP sees your
| traffic going into WG1. They know all of Mulvad's IPs, so
| isn't it just as easy to correlate that traffic when you
| exit through WG2?
|
| /question from ignorance
| shrimp_emoji wrote:
| Assuming the ISP monitors the entire network graph (your
| computer, the VPN server's activity, and the end
| service's server), you wouldn't. At that point, it's game
| over unless you're using mixnets or something.
|
| If they merely monitor your computer and the end service,
| the correlation weakens a little with plausible
| deniability.
|
| The real win is when the ISP adversary is monitoring your
| computer and the WG servers and NOT the end service. In
| that case, say they see you go to WG1, and then they see
| WG1 going to an end service. This is also correlation,
| and pretty undeniable. But say they see you go to WG1,
| then they see WG1 go to WG2, and they have no visibility
| of WG2's traffic. Then the tracking's broken; the
| footprints run off into the surf.
|
| So multiple hops buy you defense in depth assuming it
| eventually gets you outside your adversary's monitoring
| range.
| robertlagrant wrote:
| Equally ignorant response here :) How would they see that
| traffic? Why would the ISP be the same?
| bippihippi1 wrote:
| the reason the uk wants an encryption backdoor is because
| it's expensive to do statistical analysis of encrypted
| traffic. there's ways to make it more difficult, but if you
| own the certificate that a tls endpoint uses you can just
| open it and reencrypt it for the destination. this is called
| break and inspect. if a vpn uses different certificates and
| is built well, there would have to be a flaw (spyware,
| vulnerability, etc) on one of the endpoints for anyone other
| than you and the vpn to read the encrypted data.
| stjohnswarts wrote:
| those two are huge though, and part of any multilayered
| approach to security. I doubt if most people think "VPN and
| done"
| gigatexal wrote:
| I switched to Mullvad after teh last article i read here on HN
| about how they didn't log and couldn't offer logs to the
| authorities. I don't have the link but I was impressed and these
| audits are further proof that that decision was correct.
| traceroute66 wrote:
| > I switched to Mullvad after teh last article i read here on
| HN about how they didn't log and couldn't offer logs to the
| authorities
|
| It should also be pointed out that OVPN[1] is an option as
| well. They were taken to court and won[2], so they demonstrated
| above all reasonable doubt that OVPN no-logging means no-
| logging.
|
| See the link for the detail, but I quote: "the Rights Alliance
| and their security experts have not been able prove any
| weaknesses in OVPN's systems that could mean that logs are
| stored. "
|
| [1]https://www.ovpn.com/en
| [2]https://www.ovpn.com/en/blog/ovpn-wins-court-order
| waithuh wrote:
| FYI their monthly subscription doesnt have multihop and thus
| offer an easier avenue for metadata matching
| burnaway wrote:
| OVPN was recently bought by the parent company of
| HotSpotShield. Make of that what you will.
|
| https://www.ovpn.com/en/blog/next-chapter-for-ovpn
| BoppreH wrote:
| I really respect how Mullvad is willing to sacrifice business to
| give extra security and reliability to the (remaining) customers.
| I first saw it when they disabled auto-renewal with PayPal,
| because it'd force them to store PII along with your account.
|
| Unfortunately for me, they made one too many sacrifices, and
| disabled port forwarding[1]. They don't store any contact
| information that could be used to warn customers, so my
| connection mysteriously failed one day and I was left with
| several months of prepaid service.
|
| I'm a bit bitter for that, but honestly their technical writing
| and security decisions have earned enough good will from me that
| I want them to keep the money. As the only VPN that doesn't feel
| shady, I wish them all the best.
|
| [1] https://mullvad.net/en/blog/2023/5/29/removing-the-
| support-f...
| hunter2_ wrote:
| > They don't store any contact information that could be used
| to warn customers, so my connection mysteriously failed one day
|
| This situation seems avoidable: what if the payment/signup flow
| had a big loud warning that you need to configure your own
| polling of an RSS endpoint using a client capable of pinging
| you?
| noahjk wrote:
| That's honestly a great idea for an alternative to
| newsletters... it would be nice if there was better first-
| party RSS support (what about in the email client?) since I
| don't think any OSs have it, because right now that would
| probably confuse most customers
| headsman771 wrote:
| The likelihood of being confused by rss among mullvad
| customers can't be very high.
| chefandy wrote:
| You might be surprised! The Mullvad client is super well
| designed and usable for newbs, and I'll bet a lot of
| their business is from people whose more technical
| friends told them it was a good idea. There's a reason
| that Tor warns users that posting personal information or
| using accounts with their regular credentials compromises
| anonymity.
|
| I wish RSS had more surface area with general computer
| users, but I reckon even being called RSS makes it
| unlikely. Folks in tech often forget how intimidating
| opaque names can be for nontechnical users.
| samcat116 wrote:
| This might be the most HN comment I've seen in a while
| riley_dog wrote:
| After they disabled port forwarding, I moved to ProtonVPN. They
| seem like the next best thing, and they continue to state that
| they have no intention of removing port forwarding (for now, I
| assume).
| kfreds wrote:
| I sincerely apologize for the inconvenience we have caused you.
|
| Announcing the removal of a feature such as this a mere 30 days
| ahead is not how we like to conduct our business in the general
| case. I expect those of our customers who relied on this
| feature to be disappointed by its removal as well as the manner
| in which it was done.
|
| Nevertheless it was the right thing to do. The manner and
| extent in which it came to be abused in recent months made it
| unacceptable for us to continue providing it. This feature
| should have been removed a long time ago, with a longer grace
| period. It wasn't - a mistake on our part - and some of our
| users suffered for it, including you. For this I am sorry.
|
| Affected customers can get their money back for any prepaid
| service they can not use, of course.
|
| If you used port forwarding to (I) make a service reachable
| (II) from the open Internet there are plenty of good hosting
| providers which will happily take your business.
|
| If you used port forwarding to (III) stay anonymous while (I)
| making a service reachable we can highly recommend Tor's "onion
| service" feature. It was built with that use case in mind.
|
| If you used port forwarding to (III) stay anonymous while (I)
| making a service reachable (II) from the open Internet, there
| are no good options that we can recommend.
|
| Port forwarding needed to be removed on moral grounds. It
| needed to be removed because it was causing too much of a
| disturbance to our core mission of making mass surveillance and
| censorship ineffective.
|
| I hope my explanation has - if not allayed your disappointment
| - at least provided some clarity.
|
| Best regards, Fredrik Stromberg (cofounder of Mullvad VPN)
| BoppreH wrote:
| Thanks for the reply. I'm sorry my negative comment got to
| first spot on what should have been a positive post. I
| understand why the decision was made, and I think I'd have
| done the same.
|
| I really hope you guys stick around, Mullvad has exactly the
| posture that we need from security services.
| kfreds wrote:
| Thank you. There is no need to be sorry. I'm grateful for
| the opportunity to clarify things.
| 93po wrote:
| It is wild how good of a company and team you've proven to
| be. The world would be a much better place if everyone
| operated this way
| treesciencebot wrote:
| What sort of abuses you have encountered when dealing with
| port forwarding? Was it DMCA'd content hosting or were there
| other major issues with it? Also how does other VPNs that
| offer port forwarding (like Proton) function against those
| sort of abuses?
| electroly wrote:
| VPN port forwarding is, by and large, used for BitTorrent
| because you can't seed without it. VPNs are used for
| BitTorrent in general because it's well-known that IPs
| participating in BitTorrent are monitored and logged by
| anyone who wants to[0]. I bet it's at least 100 BitTorrent
| users for every 1 user using port forwarding for any other
| purpose.
|
| [0] https://iknowwhatyoudownload.com/
| Arcuru wrote:
| You can still seed/download without port forwarding
| setup, however the other person you're connected to needs
| to have port forwarding. Basically either side of the P2P
| connection needs to be reachable from the open internet,
| but not both.
|
| So you can still seed, it just won't be as usable.
| alwyn wrote:
| They give some examples of things bad actors used port
| forwarding for in the blog post[1] announcing the removal
| of the feature.
|
| [1]: https://mullvad.net/en/blog/2023/5/29/removing-the-
| support-f...
| azalemeth wrote:
| Reading between the lines, I'd be very surprised if it
| wasn't highly undesirable content, i.e. child porn or
| fraud. This came about a month after a very publicised
| raid by the Swedish police -- after which they left with
| nothing [1].
|
| [1] https://www.pcmag.com/news/mullvad-vpn-hit-with-
| search-warra...
| kfreds wrote:
| FYI: Our decision to remove port forwarding was not a
| reaction to the surprise visit by Swedish police. I wish
| we had been more clear about this in our blog post.
| kfreds wrote:
| There were several major issues.
| wing-_-nuts wrote:
| I had no idea this even happened. It would have been useful
| to show a notice within the app itself (like you do for patch
| notes?). Maybe you did, and I didn't see it, but I just got
| done paying for another 6mo on your service being none the
| wiser.
| kfreds wrote:
| I'm not sure whether we did or not. Please don't hesitate
| to contact support for a refund of remaining time in case
| you've decided to switch providers.
| madars wrote:
| Port forwarding doesn't seem to be a problem for long-
| established independent VPNs like AirVPN (based in Italy but
| very ingeniously without exit servers in Italy) or AzireVPN
| (Swedish; added port forwarding -- all mappings in memory, no
| static records -- just recently [1]). What makes Mullvad's
| situation different? Is it a question of margins for high
| traffic port forwarding users (Mullvad is branching out in
| browsers and search while these two are not) or something
| else? I used to be a long time user and a huge fan and
| proponent of Mullvad's but the communication here has been
| very much opaque. This is especially so as port forwarding
| removal was announced straight after a raid where police,
| after Mullvad's explanations, didn't take anything [2].
|
| [1] https://blog.azirevpn.com/port-forwarding/ [2]
| https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-
| subjec...
| capableweb wrote:
| It seems pretty evident why they had to turn it off:
|
| > The manner and extent in which it came to be abused in
| recent months made it unacceptable for us to continue
| providing it.
|
| Probably the difference between Mullvad and AirVPN/AzireVPN
| is how popular the service is, which also usually dictates
| how popular it is for people to try to abuse it.
|
| Maybe 1% of each service's traffic is abuse, which for
| AirVPN/AzireVPN is not that much, but on Mullvads scale it
| becomes a whole nother beast.
| kfreds wrote:
| I'm sorry we haven't been more clear in our communication.
|
| Our decision to remove port forwarding was not a question
| of margins - it was a moral and practical decision.
|
| Port forwarding is a feature with many legitimate use
| cases. This year it became clear that we had become popular
| for use cases we didn't want to support. Undesirable
| content and malicious services is a good summary. I'm not
| privy to more details than that as my main focus is
| research.
|
| Technology is often a double-edged sword, but thankfully it
| is often also a net benefit to its users and society in
| general. Privacy online is exactly that kind of technology.
| Enabling anyone to host any service anonymously on the open
| Internet is another matter.
|
| I hope AirVPN and AzireVPN somehow succeed with providing
| that feature while steering clear of its downsides. That
| would be awesome.
|
| Nitpick: Mullvad is older than both Air and Azire. :)
| madars wrote:
| Thank you! That clarifies :) I'm also glad for all the
| innovations Mullvad has invented/supported/etc in the VPN
| space -- anonymous account numbers, multi-server SOCKS
| proxies, Wireguard over TCP, post-quantum Wireguard,
| stboot, open APIs, the list goes on.
|
| It feels like VPN for apps is very different than a VPN
| for browsing. While in both cases I want my traffic to be
| mixed in with a lot of other people's traffic (so service
| provider dealing with complaints about neighbors is part
| of the value proposition), browsing use case is tied to
| IP reputation (so don't want someone to run a Tor exit on
| the same IP), whereas the app use case is much less IP
| reputation-sensitive but definitely benefits from port
| forwarding (e.g. to anonymously run nodes that powers
| distributed infrastructure like crypto).
|
| I'd definitely pay premium, with longer commitments up
| front for "this server might be useless for browsing but
| run all your anonymous crypto nodes behind forwarded
| ports" type of service. Maybe if port forwarding is
| active only if you have 6+ months of outstanding service
| commitment (and you forfeit the balance if your port gets
| used for C&C or whatnot) is enough of a deterrent. Some
| VPNs are doing some traffic segregation already, e.g.
| having dedicated servers for P2P, though nothing exactly
| like this.
| Victor1024 wrote:
| Mullvad is probably the VPN with the longest track record
| of not keeping logs. I find it likely that the vast
| majority of people who hosted immoral content using
| Mullvad's port forwarding feature solely used Mullvad for
| this purpose because of their reputation. After Mullvad
| discontinued port forwarding, IVPN (probably the second
| most trusted VPN provider) came out a month later and
| announced that they were also discontinuing port forwarding
| [1]. I think it is likely other VPN providers will follow
| suit.
|
| According to Mullvads blog [2] the police raid was related
| to a blackmail attack in Germany.
|
| [1]https://www.ivpn.net/blog/gradual-removal-of-port-
| forwarding
|
| [2]https://mullvad.net/en/blog/2023/5/2/update-the-swedish-
| auth...
| nerdchum wrote:
| This is a very articulately worded and elegant response.
| jjice wrote:
| I use IVPN and they also deprecated port forwarding. I believe
| they didn't cut people off directly but if you stop using it
| you can restart using it. I wonder if they removed it for the
| same reason.
| iaresee wrote:
| Have you found a replacement? I did some light investigation
| but nothing really felt as solid as Mullvad so I haven't jumped
| ship yet.
| irusensei wrote:
| Not that person but I've spinned a 1984 instance paid with
| bitcoin without KYC. Then setup nat+rdr rules that foward to
| my service through a wireguard tunnel.
| mandelken wrote:
| Forgive my ignorance, but what's a "1984 instance"? (Google
| could not help me.) Thanks!
| skulk wrote:
| I googled "1984 vps" and came up with
| http://1984.hosting/. I have no idea if this is what GP
| is referring to.
| iaresee wrote:
| This might be the way I go. Thanks.
| BoppreH wrote:
| None as solid, no. My needs are fairly specific (exit node in
| a specific country, torrent-friendly, good speed, not too
| expensive, not too shady, first-party support for my OS'es,
| doesn't have to be government-proof), so you'll need to do
| your own research.
|
| For what's worth, I eventually went with Proton VPN, but it's
| more expensive and gives a used-car-salesman feeling.
| digging wrote:
| > gives a used-car-salesman feeling.
|
| I really don't like the aesthetic direction Proton's been
| taking in the last few years, from top to bottom. I'm
| finding their mail apps, both in desktop web browser and on
| mobile, less and less usable. In addition I get this
| feeling from their design choices as well. I know their
| mission is to grow enough to challenge predatory providers
| like gmail, but it makes me wary and makes me feel as if I
| won't be using them in 5 more years.
| xvector wrote:
| Proton has unfortunately become incredibly bloated over
| the past few years. Meanwhile ProtonMail doesn't yet
| support auto-forwarding or (on mobile) email content
| search.
| pteraspidomorph wrote:
| I'm glad to read this. We considered switching to them earlier
| this year (couldn't find the budget) and it was still on the
| table, but this is a deal breaker. If we'd switched I'd have
| been in the same situation, with a lot of prepaid service I
| couldn't use as intended.
| BoppreH wrote:
| To be fair, the announcement came with the option of asking
| for refunds, and I have no reason to doubt them. My few
| interactions with their support were pretty good.
| asynchronous wrote:
| They still support opening up ports, it's just randomized
| instead of dedicated like uPnP.
| internet-mat wrote:
| This isn't true, Mullvad completely disabled port forwarding
| earlier this year. See:
| https://mullvad.net/en/blog/2023/5/29/removing-the-
| support-f...
| asynchronous wrote:
| I'm confused, the blog post backs up what you say but I can
| still set custom ports within my account page... And I'm
| currently running a service that needs to advertise out on
| a port to work from Mullvad.
| fruitreunion1 wrote:
| I don't want to revoke a key to test but I'm pretty sure
| that just sets the port in the Endpoint part of the
| WireGuard config file. (the port you use to connect, for
| if the regular one is blocked). Are you sure your service
| behind Mullvad is accepting incoming connections?
| electroly wrote:
| That custom port on the WireGuard config page is not the
| place where you'd configure port forwarding; that's not
| what that is. They had a separate port forwarding page
| for configuring city ports which is now gone. But you say
| you have it working. My guess is that you're just
| misremembering where the configuration is, and that
| Mullvad hasn't removed existing port forwards yet like
| they said they would.
| piaste wrote:
| Is it a torrent client, by any chance? Those can still
| work without port forwarding, if the swarm member you're
| sharing data with (regardless of direction) has an open
| port on their side.
|
| Try creating a new torrent with some random file, seeding
| it from a Mullvad device and downloading it from a
| different Mullvad device. That should only work if you
| have port forwarding set up (or if you're not actually
| going through Mullvad - you will see that by the peer IP
| in the torrent client).
| nabogh wrote:
| Oh really? Could you elaborate or point me in the direction
| of more information on this please?
| asynchronous wrote:
| https://mullvad.net/en/account/wireguard-config
|
| In the wireguard config section of their tutorials, there's
| a spot to put a custom port - it's really unclear from the
| docs but this allows you to expose out a service within the
| higher limits of the port ranges, and only on dedicated
| servers.
|
| Really hard to find but they call this "city ports" over
| global ports because you have to set them up beforehand.
| Hakkin wrote:
| The "custom port" option in the config creator just sets
| the endpoint port to use for Wireguard. It has nothing to
| do with port forwarding.
| 2OEH8eoCRo0 wrote:
| The discontinuation of port forwarding forced me to leave which
| is unfortunate because they are excellent.
| pixelatedindex wrote:
| I'm a network newbie so I have no idea about the importance of
| this. I have done port forwarding in my router before, mainly
| so I can access my Plex system outside of my house. I used to
| setup port forwarding when torrenting but I have realized that
| I can still get my Linux ISOs without it. I never cared even
| though I'm a heavy user of their product. When will it start to
| affect me, or in other words, what use cases am I locked out of
| when port forwarding is disabled?
| treyd wrote:
| Your torrent client probably uses UPnP to have your router
| selectively open ports to your machine for the duration of
| the session.
| duozerk wrote:
| You'd need that feature if you desired to host an actual
| service (a webserver for example) _behind_ the VPN
| pixelatedindex wrote:
| Oh!! That makes a ton of sense now, I feel dumb for not
| thinking about that since I was just doing some config
| changes for Docker services running in my home server. I
| realized I couldn't access it from another machine because
| the Dockerfile didn't have ports forwarded appropriately.
| Thank you very much!
| [deleted]
| pipes wrote:
| Becoming well known for always trying to put customers first is
| a good strategy and probably makes business sense in the long
| run. I have used mullvad for years. I have no intention of
| shifting provider. Mainly because the evidence is starting to
| stack up that they are one of the few good actors in a cess pit
| of shitty/shady competition. (Though it's a shane mullvad gets
| blocked by netflix, well the last time I tried it wasn't
| working).
|
| The only other service I have any brand loyalty to gog.com. For
| some reason I feel the same about them.
| darkwater wrote:
| What are legitimate use case to use port-forwarding behind a
| VPN IP? Genuinely curious, I'm not implying anything. The main
| use-case is hosting something for which you don't want to
| reveal your IP or circumvent some ISP that block hosting web
| servers on their residential IPs. I'm sure I'm missing many
| more use cases.
| morpheuskafka wrote:
| I have been out of the loop for a while on this, but doesn't
| BitTorrent require you to set up a port forward? Otherwise
| you can only connect to peers that do, but not other peers
| that don't.
| 2-718-281-828 wrote:
| any competent opinions on protonvpn vs mullvad vpn?
| pwpw wrote:
| Both are fine for vpn performance. However, Mullvad has won me
| over with their business practices.
|
| Mullvad accepts my payment for a month of use at a time, and I
| manually renew it (after I receive a reminder) each month. If I
| don't need a vpn the following month, I don't pay for another
| month. I also find Mullvad works a bit better on Linux too.
|
| I just got hit with a 2 year auto renewal charge from proton
| for my old proton account (email, storage, vpn) for roughly
| $200 with no email reminder. I thought I had cancelled the auto
| renewal, but I apparently hadn't. When I went to cancel it
| after receiving the charge, the process was full of dark
| patterns and offers to continue my service, ending with the
| inability downgrade because it required me to manually delete
| emails for 30 minutes to free up storage to downgrade to the
| free account.
|
| It feels like proton has shifted their focus to metrics and
| profit growth over user experience while Mullvad simply
| provides a great product with no trickery.
| protonmail wrote:
| Please note that Proton subscriptions are automatically
| renewed, as well as that if you are using multiple services
| under the same Proton account, the access to all of them will
| be suspended if an invoice has not been cleared for longer
| than 14 days: https://proton.me/support/delinquency. We
| cannot downgrade a subscription for you automatically, as
| only you can choose what data should be removed from your
| Proton account - it is impossible to downgrade the account to
| a Free subscription if it exceeds the limits of the Free
| subscription.
|
| However, as soon as you downgrade the account yourself and
| cancel the subscription, we will automatically refund you for
| the unused time. The refund is automatically issued in the
| form of Proton credits which you can use for a Proton paid
| service in the future, or you can request the credits to be
| refunded back to your original payment method by contacting
| our support team: https://proton.me/support/contact.
| pwpw wrote:
| This entire situation would have been avoided if you had
| sent me an an email saying, "Hey, we wanted to let you know
| that you are subscribed to an auto renewing plan that is
| set to charge your payment on file in two weeks." Instead
| you have taken my money, and I have to spend my free time
| asking for it back.
|
| > We cannot downgrade a subscription for you automatically,
| as only you can choose what data should be removed from
| your Proton account - it is impossible to downgrade the
| account to a Free subscription if it exceeds the limits of
| the Free subscription.
|
| Add a button to delete all data in my account that appears
| when you tell me you can't downgrade.
|
| > The refund is automatically issued in the form of Proton
| credits which you can use for a Proton paid service in the
| future, or you can request the credits to be refunded back
| to your original payment method by contacting our support
| team
|
| What is a proton credit? You chose to issue an unauthorized
| payment on my card in USD.
|
| To summarize my experience, in order to cancel a
| subscription at the end of its period, one must:
|
| - Set a reminder to cancel the subscription potentially
| years out because they cannot disable auto renew
|
| Failing to cancel before being charged without a warning
| email, they must:
|
| - Discover how to manually delete all of their files across
| various proton services to get their storage below a free
| tier threshold
|
| - Email support to ask that their refund issued in proton
| credits be converted into their payment currency
|
| - Respond to support's email asking if they are sure they
| want a refund
| allarm wrote:
| Please note that this response and the whole reasoning is
| absolutely ridiculous. But thank you for it anyway, I'll
| make sure to keep away from your services in the future.
| hammock wrote:
| Mullvad is THE ONLY mainstream VPN that doesn't have seriously
| questionable credibility.
|
| Proton VPN is very questionable - sleuths have figured out that
| it's just a white-labeled version of NordVPN. But the trail is
| a rabbithole, and you might not be personally satisfied with
| the standard of evidence. Here is a start for you:
| https://news.ycombinator.com/item?id=23571653
|
| And since the link to [2] in what I linked above is broken,
| here is the archived version: https://archive.is/iZ2l2
| bscphil wrote:
| I don't find this credible whatsoever, and I think you should
| stop making this claim.
|
| The only piece of evidence in your linked comment is the now
| defunct blog post: https://web.archive.org/web/20200629163107
| /https://vpnscam.c...
|
| In addition to reading like it was written by an angry 12
| year old, it makes some enormous logical leaps. The facts
| given are that Proton has an official legal entity in
| Lithuania called PROTONVPN LT, UAB, and another company
| called Tesonet shared Lithuanian offices and apparently some
| business services with them. The article claims that Tesonet
| is a "data mining company" based on the following evidence:
|
| > Tesonet has its hands in "Machine Learning Solution,
| cybersecurity, and collection of business intelligence data"
| in efforts to create algorithms, that best suit their client
| business needs. If you read their about page, the company
| openly states it employs many different technologies to
| structure data, which is run on various services like MySQL,
| Anisble, collectd, StatsD, ElasticSearch, Grafana, Influx DB,
| Python, and Couchbase.
|
| > ALL of these names rely on HEAVY USER INFORMATION, which
| makes sense, considering that Tesonet is a DATA MINING
| company. Now, let us not forget that Lithuania itself is a
| NATO member that regularly holds NAZI marches.
|
| Let's just say that I'm not immediately convinced that
| Tesonet is in the business of selling user data.
|
| The article also claims that in one online Lithuanian
| business services directory, the CEO of Tesonet was listed as
| the head of PROTONVPN LT, UAB. I have no idea of the
| legitimacy of this claim, but it stretches plausibility to
| claim that Proton is secretly not a Swiss company and
| secretly has a Lithuanian data mining company CEO as its
| head.
|
| The article then goes on to make some completely unsupported
| allegations: "the real question is not whether ProtonVPN is
| working with Tesonet, but if the provider is owned by the
| data mining company" and "Under the name of a FREE VPN
| service, they've been collecting USER DATA all along."
|
| Furthermore, the original source of most of this information
| actually comes from a Hacker News comment. The article links
| to a comment by the head of Private Internet Access!
| https://news.ycombinator.com/item?id=17258203
|
| Unfortunately this gives the game away, because the comment
| is "retracted and removed by author's request". Dang
| comments:
|
| > In addition to the redacting the above comment, we deleted
| several comments below by request of their authors. My
| understanding is that the dispute has been resolved and that
| the allegations are retracted.
|
| In other words, it appears to me that the true source of
| these rumors has retracted them and no longer believes that
| Proton has the claimed ties to Tesonet.
|
| Ironically, as a result of looking into this, I feel slightly
| _more_ confident about ProtonVPN than I did previously.
|
| Edited to add: you're also stretching even the blog post's
| unsupported allegations in your comment, when you say that
| ProtonVPN is "white-labeled" Nord. The article makes the
| unsupported insinuation that ProtonVPN and Nord are both
| owned by Tesonet, but this is different from the claim that
| ProtonVPN is just Nord repackaged as a different product, as
| you claim here.
| DANmode wrote:
| > In other words, it appears to me that the true source of
| these rumors has retracted them and no longer believes that
| Proton has the claimed ties to Tesonet.
|
| I was nodding along, until this.
|
| Seeing someone retract a pretty specific claim like that by
| _calling on the admins to delete_ , instead of leaving it
| up for posterity and/or and discussing _how_ they made the
| error, feels more like a legal threat was received, and
| some pants were shat.
| buzzy_hacker wrote:
| I think those two are the most reputable VPNs. I've used
| ProtonVPN for years just since I wasn't aware of Mullvad at the
| time and can't be bothered to switch. I believe ProtonVPN
| hasn't had infrastructure audits, which Mullvad has had.
| [deleted]
| thenews wrote:
| mullvad if you want good support and good linux/mac/windows
| client, proton has a shitty linux client, they support dynamic
| port forwarding in their windows client
| salad-tycoon wrote:
| There is a pretty heavy bias against proton anything here, imo.
| They are seen as a marketing company is my interpretation of
| the sentiment.
| sdfzguf wrote:
| If you experience something, it's already subjective. No need
| for the "imo" -escape. Same goes for sentiment. The sentiment
| is already what you observed, no need to further interprete
| that. Just share what you see. This is overly careful to a
| point where it almost lacks any content.
|
| Edit: To make this constructive, you could add why people
| think so and share a related link or something.
| stOneskull wrote:
| they're a bit lazy on their linux software. you have to a
| little hacking for the vpn to work nicely, like just having a
| systray icon.
| dimaor wrote:
| I am currently using nordvpn and my subscription is going to
| expire pretty soon. I have been thinking to switch to mullvad for
| some time.
|
| apart from the price (nordvpn is cheaper) can someone please help
| me make a decision if to switch or stay with nord?
|
| based on the comments in the thread I assume mullvad is better in
| terms of privacy, security and probably more.
|
| in addition, I don't use streaming services so the netflix
| selling point does not apply to me.
|
| thanks in advance!
| 0xbeefcab wrote:
| mullvad is well worth it IMO. Genuinely reliable, privacy
| forward, and consumer-friendly rather than trying to maximize
| profits and make their own lives easier
| sourcecodeplz wrote:
| I just use proton coz it is free
| dijit wrote:
| My biggest professional regret is not joining Mullvad when their
| founder emailed me.
|
| A seriously large chunk of their values aligns with my own, and
| it's woefully few technical enthusiasts that continue to place
| liberty over convenience -- meaning most of us tend to use
| hyperscaler cloud providers under the purview of the US
| Government. -- and before anyone mentions it; yes that has been
| an issue for me in my professional career as the cloud providers
| must adhere to US sanctions, meaning if you are from Cuba, Iran
| or _Crimea_ you can 't play the games I made. -- which is
| annoying because you could buy our game legally in Russia and
| Ukraine, but if you happened to be in occupied territory then no
| play time for you.
|
| Sidetracked a bit, but it's really refreshing from the outside to
| see a company that isn't scummy that values liberty.
| rvnx wrote:
| [flagged]
| lnxg33k1 wrote:
| What are you doing about western governments pursuing
| journalists who reported war crimes in iraq?
|
| This moral superiority about expecting people from other
| places to do what we don't would be hilarious if it was
| completely outrageous
|
| We're expecting normal people to stand up against armed
| regimes while around the world our governments commit the
| worst human crimes while we're zapping on netflix I have
| absolutely no words, I'm terrified
| apples_oranges wrote:
| If you tallied it all up in an excel sheet you would
| probably be shocked about the abuse going on "here and
| there"
| dijit wrote:
| The world is not as black and white as you paint it, taken
| from an outside perspective the US has also done _many_
| things that we would likely go to war for if it was anyone
| else, including chasing journalists across borders, forcing
| down diplomatic aircraft and spying on allied governments
| (Merkel in particular).
|
| Regardless; your enemies are not my enemies. Even then:
| Sanctioning occupied territories only serves to push the
| occupied territory further into the occupiers hands.
| dancemethis wrote:
| I mean, I'm super against supporting hostile government
| countries, but a lot of stuff is made in the US. It's hard to
| avoid money going there.
| jasonvorhe wrote:
| Hostile to Western interests. Sanctions are nothing but
| legitimatized bullying of the strong over the weak. Thanks,
| but not. Multi-polarity is coming.
| apples_oranges wrote:
| Isn't trading with certain states like sanctioning of how
| they treat their population? Withholding trade seems fair.
| We don't want to deal with you because you start murderous
| wars for example seems fair. As for "multi polarity"..
| seems so far like the catchphrase of shitty governments and
| unhappy people here that dream of some radical change..
| It's a false word somehow
| zirgs wrote:
| Yup - there's no "multi". You either live in a country
| that's aligned with the USA. Or you live in some sort of
| authoritarian hellhole.
|
| There's no democratic and prosperous country that isn't
| aligned with the USA somehow.
|
| Russia had the chance to become a country like that in
| the 90s, but they chose to have another tsar instead.
| blowski wrote:
| At some point, we thought it would be the BRICS. All of
| them have moved away from that in the last decade.
| zirgs wrote:
| Brazil - high crime and corruption, but at least there is
| some democracy Russia - totalitarian regime with no
| democracy and no rule of law. India - lots of poverty and
| corruption, but at least there is some democracy China -
| authoritarian regime with no democracy whatsoever. South
| Africa - poverty and corruption.
|
| Not very great choices. Also only Russia and China would
| be safe for people like Snowden or Assange.
| rvnx wrote:
| It's honestly very sad the way the world moves :(
|
| There was a real possibility that Russia could have
| joined Europe, but something got broken along the way.
|
| I'm not sure that USA is really a strong ally of Europe.
| It's something in-between. US has its own interests
| before all.
|
| They would lend us (Europe) money and sell us weapons in
| case we go to war, but a friend giving you a loan and
| making profit out of you isn't really that great friend.
| zirgs wrote:
| Every country has their own interests.
|
| The USA is not perfect, but there isn't anyone else out
| there.
|
| Beggars can't be choosers. Especially after European NATO
| members underinvested in defence for decades and refused
| to see Russia as a threat that it is.
|
| Not that long ago France even attempted to sell them
| aircraft carriers.
| rvnx wrote:
| The only time I've heard the expression about multipolar
| was from Chinese and Russian Foreign Minister playbook.
|
| Add "NATO", "Russophobia", "Nazis", "Western" and other
| keywords in the soup and you have the perfect anti-
| Western speech.
|
| It's not even a Western tool.
|
| Sanctions are a tool to refuse to trade with opponent
| regimes, and it works both ways (China has sanctions on
| the West too, for example on semiconductors. Russia has
| sanctions too against the West).
|
| It's not perfect, and it has side-effects, but overall it
| deters other countries / terrorist organizations to
| follow the same path of taking an hostile posture against
| you.
|
| If you let people go around sanctions, then becoming
| hostile will simply have no consequences.
|
| If there are no consequences to actions, and there is a
| big prize to win, then the politics will do it, no matter
| what.
| jasonvorhe wrote:
| If all you read is propaganda by one empire or another,
| it's no wonder you immediately associate a term with
| propaganda. https://en.wikipedia.org/wiki/Polarity_%28int
| ernational_rela...
|
| Interesting quote:
|
| > In April 2023, the Australian government released their
| 2023 national review where it is outright stated that the
| age of American unipolarity and primacy in the Indo-
| Pacific is effectively over, paving way to great power
| competition and a more fractious world order.
|
| It's new to me that Australia is known to spread Russo-
| Chinese propaganda either.
| zirgs wrote:
| Where's the second democratic pole? If the only alternative
| to living in an US aligned country is moving to an
| authoritarian hellhole - then... no thanks...
| worldsayshi wrote:
| FYI it seems they are still looking for people. They are
| advertising on buses here in Gothenburg.
| euazOn wrote:
| Sidenote: I know a bunch of people from Crimea and many things
| we take for granted are surprisingly complex for them. People
| from Cuba or Iran at least have the certainty of which country
| they are in.
| varispeed wrote:
| Crimea is in Ukraine.
| ChumpGPT wrote:
| [flagged]
| concordDance wrote:
| Country borders are made up. While this is most obvious
| when looking at Africa it is also true everywhere else.
| dijit wrote:
| Yet, if you lived there you would be issued a Russian
| passport, your official documents would be from the Russian
| state; your police would be Russian.
|
| And; if you lived in Laos, Cuba, Cambodia or Afganistan:
| you would currently be taking the opposite stance.
|
| We owe it to ourselves to not permit the affectations of
| propaganda to convince us that we are consistently right,
| the truth on the ground is much more complicated.
|
| I certainly believe Crimea is an invaded territory of
| Ukraine, but I cannot pretend that it's a wise notion to
| demerit the entire conflict down to "Crimea is in Ukraine".
|
| It does nothing to help the people there, and is completely
| meaningless in the face of my initial comment: that while I
| could sell games to Ukrainians, I could not allow them to
| play from within Crimea... a territory you claim; is
| Ukraine. The implicit argument you just made is that we
| have created sanctions against Ukraine itself.
| mynameishere wrote:
| _Russian passport, your official documents would be from
| the Russian state; your police would be Russian_
|
| And, most likely, your personal allegiance would be
| Russian.
| nabakin wrote:
| While this is a provocative response and there is no
| excuse for the Russian invasion of Ukraine, the 2001
| Ukrainian census[1] states 60.4% of the Crimean
| population considered themselves Russian and 24% of the
| Crimean population considered themselves Ukrainian.
|
| [1] https://en.wikipedia.org/wiki/Demographics_of_Crimea#
| Ethnici...
| iudqnolq wrote:
| Obviously it's impossible to do a reasonably unskewed
| poll in Crimea right now. However in other parts of
| Ukraine the number of people who consider themselves
| Russian drastically decreased when Russia started
| shelling their homes. So it's not clear how informative
| 2001 polls would be. Russia has also deliberately
| encouraged Russians to move to Crimea recently which
| would also skew that statistic.
| nabakin wrote:
| You make some good points. I agree, any census done after
| Russia took Ukraine in 2014 can't be used and I don't
| doubt people who once considered themselves Russian
| started to consider themselves Ukrainian after Russia
| attacked Ukraine, but this was before all that so I don't
| think that's a problem.
|
| And I'm not saying considering yourself Russian means you
| have allegiance to Russia, but I think there is a strong
| correlation between the two. Even if there's less of a
| correlation than I think, the percentage which considers
| themselves Russian is over twice that of the percentage
| which considers themselves Ukrainian. Maybe the Tatars
| align more with Ukraine than Russia, improving the
| balance, but idk.
| hvis wrote:
| Whether the people considered themselves to be "Russian"
| or not, in 1991 54% of voters in Crimea came out in favor
| of independence: https://en.wikipedia.org/wiki/1991_Ukrai
| nian_independence_re...
|
| Even though you have the results of "demographics" survey
| of 1989 that put "Russian" populace at 67%.
| nabakin wrote:
| Thanks for this. I'm glad people have good, evidence-
| based responses to my comment.
|
| This gives us a great idea of how likely a Crimean who
| considers themselves Russian would actually vote between
| the two and that while the correlation is strong, it
| might not be strong enough to suggest Crimeans would
| favor Russia and while Crimea is still clearly, the most
| Russian-friendly Ukrainian state, the decision between
| the two is much closer than I previously thought.
|
| Edit: to add, I have talked with a Crimean who supports
| Ukraine, but they say the outcome of a vote would very
| likely be pro-Russia, even before they started shipping
| Russians in and pre-occupation.
| hvis wrote:
| What it probably shows, is that while the fraction of
| inhabitants of Russian ethnicity stayed roughly the same
| in there, the supporters for joining Russia, at the very
| least, are not the same exact set of people. And we don't
| really know their number because the vote didn't have any
| independent observers.
|
| > but they say the outcome of a vote would very likely be
| pro-Russia, even before they started shipping Russians in
| and pre-occupation
|
| I heard similar opinions too, but it might vary on who
| you ask. E.g. we talk about information bubbles on the
| Internet, but they exist IRL too. That is to say, hearsay
| is not proof. And even if it were true, one might keep in
| mind that the reasons for that might not be obvious. E.g.
| there had been a fair amount of anti-Ukrainian propaganda
| on the Russian state TV (which broadcasted in Crimea as
| well) starting with 2000s or so.
|
| Or here's a thought exercise, from another perspective:
| would you say if US made a poll in Monterrey (Mexico)
| about whether the people in there wanted to join US, and
| >50% of them said yes, it would have been justifiable (in
| at least some practical sense) to annex it? Or
| Montreal/Canada, for example. It's close enough to the
| border.
| varispeed wrote:
| > Yet, if you lived there you would be issued a Russian
| passport, your official documents would be from the
| Russian state; your police would be Russian.
|
| These documents are illegal and have no meaning.
|
| > I certainly believe Crimea is an invaded territory of
| Ukraine, but I cannot pretend that it's a wise notion to
| demerit the entire conflict down to "Crimea is in
| Ukraine".
|
| And then you are trying to legitimise the Russian
| invasion. Come on. Most intelligent people see through
| this, comrade.
| leesalminen wrote:
| Are you saying these passports can't be used for travel?
| If they weren't, then why would anyone bother going to
| get one?
| mike_d wrote:
| The Crimean issued passports are accepted only by Russia
| and other occupied areas such as South Ossetia and
| Abkhazia.
|
| Practically they are required for many domestic tasks,
| and Russia won't let you leave the region with a real
| passport so you need one to get out. The European Union
| has emphasized to its member states that possession of
| one of these "passports" should also expedite the
| issuance of a humanitarian/refugee passport.
| concordDance wrote:
| > These documents are illegal and have no meaning.
|
| "No meaning"? That seems like a meaningless statement.
|
| > And then you are trying to legitimise the Russian
| invasion.
|
| Not everyone is a soldier in your ideological (and
| literal in this case) war. People can have nuanced views
| for nuanced reasons.
| [deleted]
| michaelt wrote:
| _> And then you are trying to legitimise the Russian
| invasion._
|
| In this conflict, I agree with you 100% - fuck Putin.
|
| On the other hand, many international organisations don't
| recognise Taiwan as a country, whereas in my mind it's
| clearly a country for obvious reasons. So I don't
| consider international recognition to be the be-all-and-
| end-all of which borders lie where.
| philwelch wrote:
| If you really want to fight about this, Ukraine's
| military is accepting foreign volunteers.
| pessimizer wrote:
| Yes. Zelensky has made it clear that they have lots of
| equipment and arms (although they'd love to have more.)
| What they need is foreign volunteers to fight.
| Entalpi wrote:
| Crimea is de jure in Ukraine per international consensus.
| Crimea is de facto occupied by Russia. These are
| orthogonal statements are both valid. Everything else you
| listed derives from these premises.
| veave wrote:
| That's disputed (literally :P)
| PentiumBug wrote:
| Yup. As a Cuban, sometimes it is annoying and sometimes go
| beyond that. Some cloud providers are totally off limits for
| us, some are fine with us (the minority and less known), some
| let us use some services but no others, some even have valid
| OFAC licenses but still deny access (because ACL complexities,
| I suppose)... it's all over the place. That's why I'm 95% of
| the time on crappy VPNs both to escape/evade US sanctions and
| my own country censoring mechanisms.
|
| The thing is, I _somewhat_ understand why the sanctions were
| placed decades ago, but... is that rationale still valid?
| Anyway, and sadly, the sanctions affect "regular" people like
| me the most. The ruling elite? Not at all.
|
| Thank you for your position, BTW!
| leesalminen wrote:
| > Anyway, and sadly, the sanctions affect "regular" people
| like me the most. The ruling elite? Not at all.
|
| This confirms my secondhand knowledge of financial sanctions.
| It seems to universally be this way and makes me wonder why
| we still tout them as if they were effective. They sure don't
| seem to be.
| actionfromafar wrote:
| That's a very broad statement, almost automatically untrue.
| All countries, all situations, all financial sanctions?
| pessimizer wrote:
| It obviously isn't too broad, because instead of this
| comment you could have posted a single counterexample to
| disprove it.
| actionfromafar wrote:
| The onus isn't really on me, I'm not the one making
| blanket statements.
| GoToRO wrote:
| The idea is that "the many", the poor, will overthrown the
| elite.
| allarm wrote:
| Because they have limited access to the Internet? That's
| just silly.
| GoToRO wrote:
| and many other things
| barrotes wrote:
| Funny how everyone talks about the Chinese "great firewall"
| that blocks access towards some western platforms from China,
| and no one talks about "USA great firewall" that blocks Cuban
| citizen from acceding to a lot of services
| mike_d wrote:
| Because the latter is not a thing. The United States does
| not implement any border firewalls on traffic entering the
| country. No law compels blocking Cuban citizens from
| accessing US hosted content, just preventing them from
| entering into financial transactions.
| NikolaNovak wrote:
| Besides the technical differences brought up by other
| commenters, I'm a Canadian and _I_ hear about USA sanctions
| toward Cuba on regular TV news and newspapers, never mind
| more specific news sources, every USA election cycle. It 's
| a massive topic of public debate, and from what I can see
| it hugely influences outcomes of key seats in state and
| federal elections. Sometimes these claims of "nobody talks"
| or "mainstream media doesn't want you to know" are just...
| incorrect?
| actionfromafar wrote:
| Probably because they are very different things. It's not
| like the US stops Cubans from reading Wikipedia.
| unixhero wrote:
| It is probably not too late
| codetrotter wrote:
| Last time I was in Gothenburg in Sweden, about one year ago,
| I even saw advertisements on the trams about Mullvad hiring
| people.
|
| If you want to work for them, reach out to them. Maybe they
| need more people like us still :)
| GoToRO wrote:
| [flagged]
| pc86 wrote:
| "The people" value different things depending on who they
| are. I'm sure you can find Russians who value liberty and
| peace, and I'm sure you can find Americans (or Germans, or
| Canadians, or Australian Aboriginals) who don't.
| GoToRO wrote:
| Yrs, there are russians that value liberty, I'm just
| dissapointed by how few there are.
| antihero wrote:
| Bit of a generalisation there, how many of us in the west
| were against and protested against the various wars we've
| been involved in and been basically just ignored because the
| government just does what it wants?
| GoToRO wrote:
| Not many but two wrongs don't make a right.
| dijit wrote:
| I am speechless; I can think of a dozen or so glib responses
| to put down this line of reasoning in a combative way.
|
| I will do my best to go against that instinct and instead
| say;
|
| 1) I don't believe necessarily that Crimeans are "Russian"
|
| 2) I don't believe that we can talk about a countries people
| as being homogeneous.
|
| 3) I don't believe we should be deciding what liberty people
| should be entitled to, that feels decidedly totalitarian to
| me, it would be very easy to decide that _you_ dear reader
| are not entitled to liberty either, since you implicitly
| support *gestures broadly*.
| GoToRO wrote:
| Sorry, I missunderstood your comment. I was reffering to
| russian russians but like you said, they are able to buy
| the game anyway.
| vasco wrote:
| I also got upset when I had to implement geoip tracking to
| block specific countries and thought about the people that
| wouldn't have access to the free service we were providing,
| which I thought could help someone bootstrapping their small
| business and potentially improve their lives.
|
| That being said, many people consider sanctions as an act of
| war[0] and if you think of them like that, well obviously it
| sucks, it's war and war-like consequences always suck for the
| people on the ground.
|
| Just make sure when your boss asks you to implement geoblock
| bans for sanctions, do what you need to do and not more like
| trying to block VPN users or other shenanigans. Don't break the
| law but don't make it harder for people on the ground to use
| their right to internet access.
|
| [0] https://moderndiplomacy.eu/2022/06/29/economic-sanctions-
| as-...
| 2OEH8eoCRo0 wrote:
| What caused you to pass on that opportunity?
| dijit wrote:
| It was before (or during the beginning of) COVID and it
| required on-site in Gothenburg.
|
| I was firmly planted in Malmo (3hrs train away) and had just
| signed to buy an apartment.
| hammock wrote:
| Mullvad is THE ONLY mainstream VPN that doesn't have seriously
| questionable credibility. Not even Proton VPN is OK - sleuths
| have figured out that it's just a white-labeled version of
| NordVPN.
|
| I am thankful that Mullvad is doubling down on their commitment
| to integrity, because there isn't an alternative.
| digging wrote:
| Ick. Do you have a source?
| neontomo wrote:
| Do you have any sources for the NordVPN claim?
|
| Edit: I just had a look through your post history and you seem
| to have been claiming this for months, without providing any
| evidence. Shady.
| hammock wrote:
| >Do you have any sources for the NordVPN claim?
|
| The trail is a rabbithole, and you might not be personally
| satisfied with the standard of evidence. Here is a start for
| you: https://news.ycombinator.com/item?id=23571653
|
| Note in the link above [1] doesnt work anymore since Nord
| actually removed the product page for their white label
| product, but it does exist and you can see it in the Products
| dropdown as NordWL.
|
| And since the link to [2] in what I linked above is broken,
| here is the archived version: https://archive.is/iZ2l2
| pelasaco wrote:
| Then when audit team is gone, they enable user logging. I think
| thats a possibility in every provider. IMO based on the
| transparency they handle police requests to get access emails, I
| will keep using protonvpn.
| procone wrote:
| Source? They've always been logless.
|
| I think you have this completely backwards considering Proton
| maliciously logged and handed out customer IPs to police [0].
|
| [0]: https://techcrunch.com/2021/09/06/protonmail-logged-ip-
| addre...
| flangola7 wrote:
| >maliciously
|
| They literally had no choice, it was a court order.
| protonmail wrote:
| As any other company operating legally, we have to respect
| the local legislation, which is what happened in this case.
| The case also shows that our encryption works as intended -
| we were not able to share any of the user's data stored
| encrypted on our servers (email content, attachments, etc.),
| because we don't have access to it ourselves.
|
| Note also, that the case pertains to Proton Mail, and not
| Proton VPN. Proton Mail is considered to be a communication
| service, and in most countries (including Switzerland),
| communication services are regulated to some extent. The
| treatment of VPNs is different. There are no Swiss laws
| compelling us to log IP addresses, personal identifiers,
| traffic or browsing history, as proven in a 2019 legal case
| (we were not able to provide the requested information
| because we don't keep any:
| https://protonvpn.com/blog/transparency-report/).
| pelasaco wrote:
| thank you Protonmail. I was downvoted as expected, but you
| still the only viable option <3.
| stOneskull wrote:
| "The Swiss legal system, while not perfect, does provide a
| number of checks and balances, and it's worth noting that
| even in this case, approval from three authorities in two
| countries was required, and that's a fairly high bar which
| prevents most (but not all) abuse of the system."
| hu3 wrote:
| And how does Mullvad deals with court orders?
|
| I guess it's handled by this finding in the audit:
|
| "VPN servers accept remote logins from administrators, who
| technically have the ability to tap into production users'
| VPN traffic"
| karaterobot wrote:
| Here you go:
|
| https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-
| subjec...
|
| In short, they immediately and helpfully complied with
| police... by letting them know they did not store any data
| about customers whatsoever.
| _joel wrote:
| If your treat assessment involves this, you're probably
| best not using a $5 a month VPN.
| YPPH wrote:
| Mullvad looks like one of of the best VPN providers out there.
| However the use of a customised Linux Kernel and Ubuntu
| distribution gives pause for thought. Are they going to be able
| to integrate security patches quickly? Wouldn't it be better to
| use a standardised security focused OS?
| sneak wrote:
| Thought experiment: design an architecture that passes this audit
| scope as written that allows for logging of user activity.
|
| I can think of at least one.
| jiehong wrote:
| Like sending logs over the network?
|
| It's quite common for servers to boot from the network and have
| no disk, and have application logs actually sent to a log
| server via http/udp [0].
|
| [0] For example:
| https://docs.splunk.com/Documentation/Splunk/9.1.0/Data/HECE...
| drexlspivey wrote:
| Thought experiment: build your own VPN company that doesn't log
| anything and try to convince people like you that you don't do
| any logging
| zirgs wrote:
| If you don't do any logging and don't want to know what your
| users are doing - it means that you won't have to deal with
| the cops as much. And there won't be any risk of those logs
| getting leaked or stolen .
|
| Unless you're de-facto part of the government like Google and
| Microsoft - I see no good reason to log anything more than
| what's legally required.
| waithuh wrote:
| ...why do that when you can simply sell though?
| zirgs wrote:
| Sell what? Browsing data of VPN users? That would be easy
| to check.
| waithuh wrote:
| How easy is the question.
|
| 1. Browsing habits would hardly have an affect on the
| vast array of data to have an effect on ads presented to
| you, unless you care about your privacy. Its all target
| auidence and marketing (look at ExpressVPN or Surfshark.
| They all offer privacy but never follow up)
|
| 2. Their algorithms can avoid showing you ads derived
| from the VPN if it detects the usage of your actual IP
| sneak wrote:
| I think you misunderstood me. You seem to take my comment as
| input to an assumption that I think they are logging.
|
| I don't know if they are logging or not. They say they
| aren't. The audit says they didn't see evidence that they
| are.
|
| It's impossible to prove a negative.
| red-iron-pine wrote:
| how do you troubleshoot? how do you monitor? how do you check
| for malicious behavior from clients or 3rd parties? how do
| you keep your providers honest?
|
| actually a very interesting experiment
| yellow_lead wrote:
| > These servers were deployed as though they were to be
| production customer-facing servers, however these servers have
| never been utilised as such.
|
| > Servers that ROS was given access to for testing purposes
| should be isolated from production data, but we found that the
| Wireguard host was receiving production user traffic via multihop
| configuration
|
| Ouch
| radicalriddler wrote:
| Picked up Mullvad a couple months ago, I love it's concept of
| just paying for the time I use.
| gorbypark wrote:
| Is that an option? I've been paying 5 euros a month for a
| number of years and probably use it for 10 minutes a month, on
| average. I would love to just plunk down 20 euros and be good
| for the foreseeable future, if it was a couple cents per
| minute.
| traceroute66 wrote:
| > I would love to just plunk down 20 euros and be good for
| the foreseeable future
|
| Simple, buy the number of gift vouchers on Amazon that meets
| your budget.
|
| There is no limit on the number of gift vouchers you can
| apply to a single account.
| gorbypark wrote:
| But it's still 5 euros a month, right? I thought OP was
| saying there was some sort pay by the minute/hour/day
| pricing.
| joshstrange wrote:
| Correct, it's always monthly pricing, no usage pricing. I
| assume OP meant they could pay for a few months, stop,
| then start back up at any time easily.
| stjohnswarts wrote:
| I just send them enough cash for a year at a time. No
| issues yet. I suppose there is a chance someone grabs it
| out of the mail but I'm willing to risk it.
| OJFord wrote:
| It's not on the pricing page (I was surprised too) - I think
| maybe GP means that it's rolling monthly, and that they no
| longer do card subscriptions (on a pro-privacy stance, not
| wanting to store them, Know their Customer, etc.) so you can
| pay (say, Amazon) for the time (1 month, 94 months, however
| many months) you need.
| dontupvoteme wrote:
| Sadly I can easily imagine a future where mullvad suffers because
| big tech simply rangebans all their datacenters (already happens
| to some degree between cloudflare and individual admins - people
| are seemingly even banned from using chatgpt if they connect over
| it, or at least it's involved) and you need the shady residential
| proxies to actually be able to connect/scrape anything.
|
| A self hosted VPS may also work if the company is small enough to
| avoid the coming BlanketBans, but only time will tell.
| [deleted]
| progbits wrote:
| > by Radically Open Security
|
| HN title stripping strikes again, OP can you please fix the title
| to correct the company name?
| [deleted]
| bspammer wrote:
| FWIW you can look at the network traffic in your browser
| devtools and verify that only the public key is being sent to
| them. You can even hit their API endpoint with the public key
| you want to add manually, I just tried it and it worked.
|
| Either way, if you don't trust them it hardly matters if your
| connection to their server is secure - they're the ones
| decrypting it!
| Aachen wrote:
| Title is missing the word "Radically". I didn't know "Open
| Security" but "Radically Open Security" is the place I've written
| a thesis at
|
| Edit: u/progbits is 1 minute faster than me
| https://news.ycombinator.com/item?id=37060828
| radicalbyte wrote:
| One of the projects I worked on a couple of years ago was
| audited by Radically Open Security - I was extremely impressed
| with the quality of their specialists.
|
| They didn't find anything of course (in the the system I was
| responsible for) beyond a couple of remarks (which I believe we
| had already explicitly marked with comments as they were marked
| for improvement by our static analysis tools; think "you can
| use a better variable name here" and "this can be simplified by
| using guard clauses" level). Not bad for something built under
| extreme circumstances and very little sleep (6-month-old-baby +
| COVID + crunch + 2 other busy young kids = hell).
| brapachin wrote:
| It appears in this audit. They only reviewed test production
| servers.
|
| Playing devils advocate, what would be stopping Mullvad from
| providing the Open Security team with a version of Mullvad
| stripped of logging features? I hate to be this skeptical, but
| shouldn't an actual audit review customer facing servers (within
| bounds to prevent the auditors from logging info).
|
| Maybe I'm wrong someone pls lmk. But I'm not convinced a test of
| this calibre demonstrates Mullvads claims of no logging.
| nemo8551 wrote:
| I would have liked it if the audit had also provided a number
| of logins to be used on that server to act like typical users.
| Just so it was operating as a normal server would.
|
| This could have led onto auditing a live server.
|
| Auditing an in use customer facing server would definitely
| require a good amount of controls to ensure the auditors didn't
| log any possible customer data.
| amarshall wrote:
| It wouldn't make that much of a difference, I think, since they
| could just do the same with the real servers but only for the
| period of the audit. There has to be some faith that the
| subject isn't actively deceptive and malicious, or the audit
| has to be random and at any time.
| afiori wrote:
| They don't state it clearly but this was a "we are capable not
| to mess up" audit rather than a "we are keeping your promises"
| audit.
|
| I believe it is relevant to the threat model of an attacker
| gaining (partial) access to a production server (eg no
| accidental logging), not to the threat model of mullvad
| deploying malicious code.
|
| I feel like this is a meaningful audit but would have liked if
| they had stated this more explicitly
| jonfw wrote:
| Audits can't account for a company acting in bad faith to
| mislead an auditor. It accomplishes two things-
|
| 1. ensure that the company isn't misconfiguring things and
| accidentally breaking their own policies
|
| 2. provide a paper trail that would directly implicate people
| in the event of fraud, removing plausible deniability for the
| folks involved.
| AndyMcConachie wrote:
| You're asking Mullvad to give outsiders access to their
| customer's connections. That's something they've promised to
| never do.
| slowmotiony wrote:
| I work in a bank and wish it worked like that too. "Sorry
| ECB, sorry SEC, we don't allow auditors access to our
| customers money". :-) My work would be so much easier! Too
| bad we can't do it because we'd go to prison.
| stonepresto wrote:
| At some point of paranoia people should really look into
| selfhosting a VPN service. Sure, your VPS provider can see one
| side of the traffic so its not bullet proof, but that can be
| mitigated.
|
| Mullvad is a nice middle ground for those who don't see that as
| worth their time or don't know how. Its good to see they're at
| the very least trying to keep up appearances.
| dewey wrote:
| I doubt that's the better way. How is self-hosting helping
| with the paranoia vs. using Mullvad?
|
| I don't really see how it's more secure to run some software
| that you haven't audited on a VPS somewhere at a provider you
| haven't audited. I'd trust a company with resources to run
| their own hardware, investing into a more secure setup [1]
| and contributing to more open infrastructure [2] much more
| than I trust myself to run something securely which isn't my
| sole occupation.
|
| [1] https://mullvad.net/en/blog/2022/1/12/diskless-
| infrastructur...
|
| [2] https://mullvad.net/en/blog/2019/8/7/open-source-
| firmware-fu...
| rvnx wrote:
| Self-hosting also makes you vulnerable to the network
| hosting you (not only the hosting server itself, but also
| the internet transit provider) and of course the website
| you are visiting, as you are the only user from that source
| IP (rendering a VPN practically useless).
| BLKNSLVR wrote:
| There may be holes in this but:
|
| 1. |Router| -> Wireguard / OpenVPN -> |VPS|
|
| 2. |Device| -> Wifi -> |Router|
|
| 3. |Device| -> app -> |Mullvad|
|
| = |Device| -> |VPS| -> |Mullvad| -> Internet
|
| Can do various mixing and matching if you have more than
| one VPS. Again, it rearranges rather than removing the
| vulnerabilities, and it's pure window dressing against an
| organised, financed actor.
|
| I've done this as an intellectual challenge more than
| anything else.
| pokeymcsnatch wrote:
| I do this, mostly for the static IP that isn't linked
| directly to me and my approximate location, with mullvad
| exit only for 'sensitive' stuff. The degree of separation
| is nice even if the breadcrumbs are there. Best if the
| VPS allows crypto or cash payments.
| aborsy wrote:
| Self hosting isn't private at all. You will replace home IP
| with VPS IP, both of which linked to you. Also, VPS provider
| probably logs the traffic.
| stjohnswarts wrote:
| why would self host be better? Do you have a list of VPS that
| are better than mullvad?
| sargun wrote:
| Mullvad has been chopping away at system transparency for a
| little while: https://mullvad.net/en/blog/2019/6/3/system-
| transparency-fut... -- Effectively, a mechanism by which their
| servers can perform attestation to their server really being
| what is says it is.
|
| I think they might have even spun this out into a separate
| project. With this, you can "trust" Mullvad that what's audited
| is really what you're using.
___________________________________________________________________
(page generated 2023-08-09 23:00 UTC)