And it's all open source btw. https://github.com/system-transparency/stboot
Tangential to this, it always irks me how they talk about how they all act as if the majority of the websites their users are going to aren't HTTPS and they act like their main benefits are filling in the gaps that HTTPS actually fills in.
HTTPS isn't a cure all by any means but most of the scare tactics that the big VPN companies that advertise via YouTube act like anyone will rip you credit card because you happened to be on Amazon while you were at the coffee shop.
Tom Scott is the only person I've ever seen have a great video about this [0]
I hear most of them saying "Don't want your ISP spying on where you're browsing? Use a VPN." Which HTTPS does not cover.
In terms of diskless, I've run 25k+ iPXE deployments on diskless blade servers using a highly customized Ubuntu, and it was fantastic.
Regardless of OS choice, being diskless is also quite nice... if there was a security issue or you need an upgrade of some sort, you just reboot. Only thing is that it takes a while to reboot 25k servers... even on gigE. It was a bit of work to build the scheduling system to make that happen reliably, but it worked out quite well.
Even better if you had boxes with 10 gigE and the smaller image. Would take your times down from like 6-10 hours to 1.5 hours.
Also, I doubt a full 25k restart all at once you probably had underlying applications that expected rolling, blue/green or even % or nodes that can go offline at once.
Last time I managed a small «supercomputer», 50x IBM blades running Suse, it wouldn't support PXE/NFS without kernel customization, but that would void support contracts and finicky third-party software. Made a switch to FreeBSD, where everything worked out of the box one hour later. That was over 15 years ago, I have no idea how much the situation changed.
There may inevitably be some bad actors.
But then there are other companies like OVPN who proved in court that when they say no logging they mean it[1].
Edit: Forgot to mention backdoors built into basic technologies they may already be using – like the Cavium HSM thing that came to light earlier this week.
Frankly VPNs don't protect you from anything other than the most monitoring systems and the occasional public wifi connection. They're really just glorified Netflix region proxies and nothing more to most people
Like, how would that even work? Without a court gag order, gossip would make its way out of the building in weeks. The cell phone shit only was only quasi-secret because only police department employees were involved, something that's impossible for these VPN outfits. They don't get any of the (unjustified) privilege that the CIA or NSA (or even the FBI, sometimes) receive.
Anything I might do that could pique the curiosity of law enforcement is definitely below the level of federal intelligence agency interest. Maybe your life is more exciting though.
Sweden absolutely has LI requirements for all telecom gear but vpns I have no idea.
What you've described, to me, is the VPN logging customer activity and then sending it elsewhere to be stored.
Commercial VPNs typically run on rental servers -- usually a mix of the major cloud providers and smaller hosting providers -- and in my former company's case, using dedicated hosting (bare metal where available). Steps were taken to restrict access for physical actors, but ultimately, the mantra's always that physical access basically guarantees data access on a long enough timeline if you assume there's a bad actor in the mix.
That said, to the best of my memory, there were no indications of this kind of data siphoning happening without our knowledge, and we absolutely didn't take part in it ourselves knowingly. Occasional requests would come in from various international law enforcement orgs, and every time they'd be replied to with a message about how we don't store user records (which was a truthful reply AFAIK).
The biggest challenge for us was competing with some of the newer actors in the space, taking advantage of deceptive marketing and engaging in (IMO) unethical business practices for the sector:
- Claims of "no logging," even backed up by audits, are only ever point-in-time measurements, and may not reflect reality if the VPN provider approaches the auditors in bad faith (say, with a sanitized code base); a good auditor in my experience will refuse to make this claim in the report
- Claims about having the corporate HQ in one country making it immune from the laws of countries they operate servers in (this is deceptive marketing; failure to comply with laws will get you shut down, and at my old employer we'd make calls about whether to just drop our server presence in a country entirely in response to local laws and political happenings)
- Commercial resale of user data is (allegedly) rampant among many of the newer providers you see constantly plugged on Youtube. This isn't helped by the massive consolidation of the VPN market under just 2 or 3 holding companies.
I won't name names for the companies I mentioned above, but my recommendation is to adjust your threat model from "nation-state level surveillance" to "commercial data resale just like every other web service."
As far as data collection went for my old company: we collected system metrics like resource usage over time, and kept minimal sanitized logs to help diagnose any production issues that'd come up -- basically the absolute minimum amount of data we needed to keep the service operating smoothly. I have every reason to believe this is an industry norm, since otherwise development and troubleshooting would be nearly impossible.
Anyway, there's also the looming "threat" (lol) of HTTPS and encrypted DNS proliferation and improvement making the core use case for commercial VPNs obsolete. I think anyone who's spent a bit of time in that industry realizes that the business model isn't long for this earth as a result, so I suspect many are trying to milk the industry for all it's worth. Personally, I'm all for HTTPS and encrypted DNS proliferation, and I'm also hoping more and more commercial public networks start using virtual private subnets and other device isolation features to make it even harder to abuse coffee shop Wi-Fi.
For a lot of people the core use case is accessing Netflix in a different country!
If you live in a country with detailed data retention laws, this massively changes the shape of the graph: rather than your computer connecting via HTTPS to lots of other IP addresses, it only connects to one, which a large number of other customers do too. The argument then goes that there's enough inherent jitter and generic "chaff" on the internal network to make it very hard to deterministically work out if one of your packets going in to a popular service is the same as that coming out at any moment in time; the greater the traffic of the network and the provider the better the statistical protection becomes as the packets become indistinguishable.
This, and the fact that it represents a giant "no thanks" to dragnet surveillance, is arguably a good reason to just put a VPN on your router (as many people do).
Honestly I don’t think audits are worth anything. But it’d be a huge conspiracy to mess with so many parties.
In this sense, they're valuable. As someone working in software, I can figure out if the bugs were subtle or blatant, which is often a good proxy metric for the competence of the team behind the product. Are the same bugs cropping up year after year, even if they've already been previously fixed in other parts of the code? Again, a good red flag to use there.
Audits do not and often cannot cover things like "is the company reselling connection/user metadata to other companies," though, and in most cases consumers will care that there is an audit rather than caring what's in the audit.
I frankly wouldn't be surprised if it's actually happening.
No they can't, because THEY are still logging.
Running a production-grade service with zero metrics and logs? If there's an outage, or even something as mundane as a VM failing to provision, you're telling me that Mullvad developers just shrug and say "well, we can't do anything, because there's no logs!"
I don't use a third party VPN, but if I wanted to, "we deliberately eschew all observability" is not a positive selling point.
Ditto for logging. They claim to not log activity over the VPN itself, but I don't see any claims about not logging more mundane infra stuff like "a VM failed to provision". I think you're arguing here against claims they aren't making.
Logs can similarly be of system events only.
Let's say a pedophile uses Mullvad to get forbidden images, isn't the VPN liable?
I mean, the law enforcement will see that the IP was from Mullvad's office, so I assume they are the ones doing it? How do they avoid this?
It is a real doubt. Maybe stupid, but real.
> However, had they taken something, it would not have given them access to any customer information.
> These are the national laws that makes it possible to run a privacy-focused VPN service in Sweden:
This is my fear.
The more significant concern is if you are the other side: if you deliberately run some sort of VPN or other proxy that others can use, or less deliberately do so. Many hacked or otherwise suspicious browser add-ons, and other malware, will make HTTP(S) requests & other connections on behalf of their C&C hosts and to your ISP or anyone else those requests will be largely indistinguishable from those that are the result of your activity.
You need a VPN that actually cares about your privacy and goea the extra mile to ensure it. On top of that if the VPN service does not know who you are how can they actually tell the cops. On top of that you don't need to explain it to the cops - if you are ever accused this should be done in a court of law where we understand what ips are (heck, even some cops understand it - it's not exactly rocket science nowadays)
The feature is called Perfect Forward Secrecy, and protects past flows from later key compromise.
Wireguard supports this, which is what Mullvad uses. (For some reason, speculation about which is an exercise left to the reader, WPA in Wi-Fi still does not.)
(That being said, I think having your RAM frozen to extract ephemeral secrets is firmly in the “fully hosed” threat model, and is not a realistic model for 99.9% of users to plan for.)
You can enable SME in the BIOS on all AMD-based business laptops and AMD EPYC servers.
1. https://www.amd.com/content/dam/amd/en/documents/epyc-busine...
> When servers are rebooted or provisioned for the first time, we can be safe in the knowledge that we get a freshly built kernel
Any info what’s the period of time doing so? Do you provision them every day, week? An hour maybe? The more the period the less chance of some attack vectors.
Most VPN company advertise they do not keep logs of your browsing...
Which would be in infraction with european and american laws.
So I don't what to think of diskless VPN.
Wouldn't using a disk in read-only mode accomplish the same thing?
Third-party audits are a scam to begin with and don't prove anything.
The custom server is a niche security point. While every server is continously researched and patched, we cannot expect the same from a a server like this. If someone were to find a security hole, an attacker would purchase it and no one else would ever know the system was compromised.
But, if anything should be a decentralized anonymous crypto-paid service, it should be a VPN network.
Centralized VPNs are still a single point of failure privacy risk. We have to trust they don't share our identity/account info and activity.
I am surprised dVPNs are not THE first rationale given for crypto. I.e. since separately and together they (ideally) have a clear comparative advantage over other alternatives for strong privacy.
A performant global open-standard dVPN could become an indispensable layer of web access.
> A decentralized VPN is a distributed VPN service where volunteers supply your VPN servers instead of a single company – but paid by crypto. Like with regular VPNs, you have to trust that the VPN server isn’t monitoring your data. But instead of there being a single VPN provider company behind it all, you have to trust that none of the thousands of server volunteers are spying on you.
Is this a correct understanding of dVPNs? Is there a rebuttal, especially to that last sentence?
You have a network of VPN point providers. As you communicate, data can be sent through any series of points.
Data is encrypted end-to-end, and the addresses for the point providers are also encrypted so that each point can only decrypt and see the next point to forward data to.
So each point knows where data last came from, and where they are sending it. But they don't know:
1. Which step of a chain of points the data is at.
2. If they are the first in the chain (i.e. the "from" is the source)
3. If they are the last in the chain (i.e. the "to" is the destination)
And (as long as two or more points are traversed, which would be always), no point ever has access to:
4. Both source and destination info.
Finally, since payments to each point are handled through a combination of peer-to-peer point bookkeeping, and a crypto block chain account, no point ever knows:
5. Any identity information about who uses the VPN.
6. Any way to identify activity over time that is related.
Acting as a point, as well as using the network, serves to further cloak activity, as being from you vs. passed through you.
And an alternative to crypto payments, would be earning usage by providing point service.
EDIT:
> so I searched and found https://surfshark.com/[...]
Any VPN provider that is claiming decentralized VPNs are a greater risk is either misinformed, or willing to misinform users.
I wouldn't trust a VPN provider from either category.
Actual reasons to not use a dVPN might be that it is a work in progress, not supported well, its source code is not open, or not yet vetted by experts, too slow, not many points yet, etc.
so it should be tor?
I also wouldn’t be surprised if it’s a performance benefit, since RAM is far faster than any permanent storage.
The cons are probably just that this is a pretty unusual architecture that they probably had to put some work into setting up and making it reliable.
But, obviously, that's pretty insane. Agree with everything that this is a big leap in the step of better protection for users.
