| ▲ | solenoid0937 4 hours ago |
| > As an example, imagine that you are a moderator on a forum and you suspect that a new face is actually a sockpuppet of a user you banned the day prior. You check the IP logs, and despite using different Mullvad servers, both accounts resolve to the overlapping float ranges 0.4334 - 0.4428 and 0.4358 - 0.4423. This gives you a >99% chance that they are the same person. This sounds like how I'd design a VPN if I were an intelligence agency. |
|
| ▲ | cycomanic 2 hours ago | parent | next [-] |
| Why? If I was an intelligence agency and designing a VPN I would simply log all the IPs connecting to my VPN and not rely on statistics on exit nodes to identify the users, even more so because they rely on the users to pick different servers. |
| |
| ▲ | faangguyindia 2 hours ago | parent [-] | | How would you claim it's a no log VPN? | | |
| ▲ | LordAtlas 2 hours ago | parent | next [-] | | I could just...lie. | | |
| ▲ | im3w1l an hour ago | parent | next [-] | | One person can tell a lie, but a company consists of many people. You must ensure that only few people know of the logging or there will be a risk of a leak. | | |
| ▲ | michaelt 5 minutes ago | parent | next [-] | | Well, there should only be a few people with the access needed to discover logging is happening. You'll have a server image where SSH can be toggled on using a config value in the test environment, to assist in debugging. That's normal. Don't worry, it's turned off in production. Obviously you're going to deploy the same server image you tested, only idiots test one thing and deploy another. And you'll have a high security configuration management tool, to look after your production TLS keys and suchlike. Only a tiny handful of people have access to view production configuration values. | |
| ▲ | arcfour an hour ago | parent | prev | next [-] | | An intelligence agency already consists of more people than you need to run a VPN service. | | |
| ▲ | im3w1l 21 minutes ago | parent [-] | | Still I think it's easier to avoid the need for more people than necessary. "Just lie" sounds like the easiest solution but on closer inspection maybe it is not? | | |
| ▲ | arcfour 15 minutes ago | parent [-] | | Because if you lie you get infinitely more data than if you don't lie. And if you lie you can do it completely in secret whereas if you don't lie you get articles like the OP exposing the teeny amount of data you're trying to collect. It makes no sense. |
|
| |
| ▲ | xboxnolifes an hour ago | parent | prev [-] | | Intelligence agencies... are generally pretty good at that. |
| |
| ▲ | haakon an hour ago | parent | prev | next [-] | | You really think someone would do that? | | |
| ▲ | fragmede an hour ago | parent [-] | | What, just go on the Internet and tell lies? Who would do such a thing‽ |
| |
| ▲ | ZeWaka an hour ago | parent | prev [-] | | *gasp |
| |
| ▲ | zahma an hour ago | parent | prev [-] | | Their 3rd party audit didn’t catch this… I guess we’ll see how they respond. |
|
|
|
| ▲ | tanh 3 hours ago | parent | prev | next [-] |
| Yeah I'm sure one day it will transpire Cloudflare is affliated with intelligence agencies too. The solution to a "sudden DDoS" is to put their website behind Cloudflare. Wonder who can do those sudden attacks? |
| |
| ▲ | sph 2 hours ago | parent | next [-] | | That’s been my pet theory from day 1, and not because of DDoS. Simply because they are the SSL terminator for most of the internet and can see anything going on in cleartext (and I’ve seen them protecting some shady stuff) I recall a PRISM slide showing the diagram of Google and the public internet, with a big arrow on GFE saying, quote, “SSL added and removed here! :-)” If NSA aren’t installed at Cloudflare, I wonder what they are even doing. | | |
| ▲ | tanh 2 hours ago | parent | next [-] | | DDoS is just one of the impetuses for a service provider be MiTM'd | |
| ▲ | linkregister 2 hours ago | parent | prev | next [-] | | It's within the realm of possibility that NSA is collecting data with Cloudflare's consent. It seems unlikely that Cloudflare would jeopardize their entire business model over it. Unlike other companies in the leaked NSA slides that participated in PRISM, Cloudflare would face a near-total loss of customers. Their entire value proposition is being an unobtrusive traffic intermediary. | | |
| ▲ | fph an hour ago | parent | next [-] | | Within the realm of possibility? Let's be honest, if you are a top NSA executive and you couldn't find a way to get your hands on Cloudflare's private keys (bribing or threatening the right person), you are not getting your Christmas bonus. | | |
| ▲ | nly an hour ago | parent | next [-] | | It is of course inconceivable that the NSA do not have the private keys for dozens of browser trusted certificate authorities That nonetheless doesn't help them unless they are doing active MITM. In order to do that they'd have to have at least some physical presence at Cloudflare or on the path to Cloudflare. | | |
| ▲ | RealityVoid 11 minutes ago | parent [-] | | My understanding is that they tapped communication nodes before. I would be surprised if they can't tap the pipes to cloudflare. |
| |
| ▲ | linkregister an hour ago | parent | prev [-] | | Is this information derived from Enemy of the State starring Will Smith and Gene Hackman? It was a great movie and the first DVD I ever bought. |
| |
| ▲ | sph 2 hours ago | parent | prev [-] | | > Unlike other companies in the leaked NSA slides that participated in PRISM, Cloudflare would face a near-total loss of customers People didn’t care when they learned about PRISM, why would they care now when it’s a known fact? The sane stance would be to assume Cloudflare is in cahoots with NSA. | | |
| ▲ | linkregister an hour ago | parent [-] | | All the companies involved in PRISM made public statements saying they ceased participation. Google undertook a costly initiative to add encrypted connections over their datacenter circuits. The NSA leaks were a forcing function that led to a massive uptake of encryption. Up until that point it was common for websites to support only HTTP. The NSA leaks dominated news cycles for the entirety of 2013. | | |
| ▲ | lukewarm707 an hour ago | parent [-] | | my llm api traffic terminates tcp at cloudflare in lovely plain text :/ it does give better peering. reduces latency a bit for me. | | |
| ▲ | my-next-account 25 minutes ago | parent [-] | | I had no idea that this was a thing. How can you figure out where SSL turns into plain text on its route to the destination? |
|
|
|
| |
| ▲ | breppp 2 hours ago | parent | prev [-] | | That slide was about the NSA sitting inside Google data centers without Google's knowledge. That doesn't mean collusion | | |
| |
| ▲ | hammock 3 hours ago | parent | prev | next [-] | | I don’t see how they couldn’t be. Either on purpose, secretly my coercion, or secretly without their own knowledge. It’s so valuable | |
| ▲ | dewey 3 hours ago | parent | prev | next [-] | | > Wonder who can do those sudden attacks? Anyone with a few crypto currencies in their wallet that can click a button on any of the booter services with botnets for hire. | | |
| ▲ | overfeed 2 hours ago | parent [-] | | You are right, they don't have to do it themselves, but guess who's protecting the booters from other booters? | | |
| ▲ | l23k4 2 hours ago | parent | next [-] | | Primarily specialist bulletproof ddos protection services like ddos-guard.ru, not "Cloudflare" as is the popular meme among clueless commenters. | |
| ▲ | linkregister 2 hours ago | parent | prev [-] | | Most modern booters are not maintaining public websites that could be the object of DDoS attacks. They're renting residential IP addresses from free VPN users. |
|
| |
| ▲ | kdheiwns 2 hours ago | parent | prev [-] | | Yeah, their origin is a story of absolute incredible luck. Cloudflare came out of nowhere and suddenly massive sites with huge user bases around the world, including places like 4chan, were getting DDoSed. Then they immediately announce that they transitioned to Cloudflare. Hell of a lucky time to make a company that the entire internet suddenly became absolutely dependent on. The funny thing about that era is you knew they started using Cloudflare because they went from stable with constant uptime to going down and showing a Cloudflare banner randomly all the time for a good year or so. They ran worse with Cloudflare than they did while they were allegedly getting DDoSed. The whole company glows, as the late great HN commenter Terry Davis would've said. | | |
| ▲ | UqWBcuFx6NV4r 2 hours ago | parent [-] | | Am i the only one that actually remembers this time period? It wasn’t that long ago. The confidence of your assertion is completely misplaced. I remember exactly where i was when I first read about CF, on launch day. DDoS attacks were CERTAINLY a big issue before Cloudflare came along. A whole lot of script kiddie energy was poured into them. LHC? Slowloris? IRC C2? This wasn’t niche stuff. That’s why I remember the CF launch, because I and everyone else knew that it was a big deal, given what the landscape had been for quite some time. Sorry if you personally didn’t have your finger on the pulse for whatever reason, but this was far from a niche issue, even for big sites / usual targets like 4chan. | | |
| ▲ | kdheiwns an hour ago | parent [-] | | I was there and recalled there being occasional script kiddy DDoS attacks here and there. But the uptime when being attacked was still much, much better than the first 1-2 years of actually using Cloudflare. |
|
|
|
|
| ▲ | illiac786 2 hours ago | parent | prev | next [-] |
| Well there is still the small detail of them not storing any logs. This is a massive issue in my view, it allows correlation across multiple VPNs exit nodes, but that’s it. It doesn’t allow to identify you automatically. It does significantly lower the bars for identifying you though, but the requirements are still high. Hopefully they fix this soon. I can’t believe this type of “let’s make it a hash or something sensitive” still happen, and at mullvad, of all places. Why not randomise it simply? |
| |
| ▲ | overfeed 2 hours ago | parent [-] | | > It does significantly lower the bars for identifying you though, but the requirements are still high If you squint a bit, it looks a lot like a "Nobody But US" (NOBUS[1]) scheme. A few more identifying bits could tip the scale for party that has a whole host of other bits on a list of suspects, without being useful to most other people. 1. https://en.wikipedia.org/wiki/NOBUS | | |
| ▲ | linkregister 2 hours ago | parent | next [-] | | Then why complicate it by being publicly insecure? If Mullvad were wanting to defeat anonymity, they could simply log the traffic metadata while falsely advertising they aren't. Their ads on San Francisco's public transit are good. | | |
| ▲ | hackinthebochs an hour ago | parent | next [-] | | Good VPNs tout the fact that they had nothing to give in response to a subpoena, or that there was nothing a law enforcement agency to find when they seized a server. For mullvad to be effective as a honey pot it needs to survive these events with its reputation in tact. | |
| ▲ | raverbashing 2 hours ago | parent | prev [-] | | "public insecure" JFC Security is always a balance. Always AI is showing that everything has a weak spot (wondering where are the "I don't make mistakes with C" now people are - but that's for another discussion) There's another commenter mentioning this makes sense because exactly it avoids them keeping information on which customer is matched to which server. You know, one of the things you don't want to log Could it be done better? Probably. Here's a better idea, logging off is 100% safe Meanwhile 99% of the normies will go for NordVPN |
| |
| ▲ | illiac786 2 hours ago | parent | prev [-] | | You definitely need glasses then. Let me specify: The user must have entered his data on one site which the attacker has control of. That is a high bar still. | | |
|
|
|
| ▲ | arcfour 37 minutes ago | parent | prev | next [-] |
| Mullvad predates the Snowden leaks by several years and was not mentioned anywhere in them. Sure, there are other intelligence agencies, but that's the one I'd be the most worried about. Since either they run it, or they would know of it and want to emulate the idea, or know of it and have access to it from the partner agency running it. Or they are not a threat to me. There's also the issue of no publicly known cases where someone that used Mullvad being deanonymized through the VPN but instead being discovered through some other opsec failure. If an intelligence agency has this capability they have been sitting on it for almost 2 decades without making use of the data. Hard to believe. |
| |
| ▲ | codethief 2 minutes ago | parent [-] | | > Mullvad predates the Snowden leaks by several years and was not mentioned anywhere in them. Wow, I didn't realize Mullvad was this old! Then again, maybe they weren't popular enough back then for intelligence agencies to target them? For instance, Mullvad kinda rode WireGuard's popularity wave by being the first(?) VPN provider to implement the protocol. Big ads on billboards came even later. So maybe they only became a target in recent years? |
|
|
| ▲ | cjblomqvist 2 hours ago | parent | prev | next [-] |
| In this particular case I'm quite sure it's not the case. Good arguments in the other comments (why not just log more if that's the case), but I also happen to know a little bit about the workings of Mullvad (I live in Gothenburg where they're from...) |
|
| ▲ | tommica 3 hours ago | parent | prev | next [-] |
| > This sounds like how I'd design a VPN if I were an intelligence agency. So does your comment... |
|
| ▲ | asdff 3 hours ago | parent | prev [-] |
| Makes you wonder... |
| |
| ▲ | BLKNSLVR 3 hours ago | parent [-] | | Every now and then there are articles like this one about something that Mullvad may or may not be able to do better, and there are always comments about whether they're an intelligence front. I don't know the answer, but there are two ways to take it: 1. Submarining to destroy confidence in an actually trustworthy, decent VPN company 2. They're an intelligence front. For me, Mullvad have the appearance of the greatest likelihood of being legit since they're not aggressively pushing their product with lies and fear mongering. That gels with my vibe. If they're an intelligence front, well, most VPNs probably are as well, so I'm no worse off. Luckily I'm not doing anything that would get me in the kind of trouble for which multi-jurisdictional cooperation is worthwhile. | | |
| ▲ | linkregister an hour ago | parent | next [-] | | You'll find comments accusing anything of being an intelligence front on internet message boards. I agree with you that public evidence is overwhelmingly in favor that Mullvad is earnestly trying to protect privacy. | |
| ▲ | 2 hours ago | parent | prev | next [-] | | [deleted] | |
| ▲ | 8cvor6j844qw_d6 3 hours ago | parent | prev [-] | | [dead] |
|
|
