Just to note here - with Mullvad you can pay via gift card that you can find at various retailers (to get a one-time code that you can use to create an account). Of course they can see your IP address but there is no payment/contact information on the system.
Hey Carl, sorry to hijack the thread but I have a question for you. Being the operator a small website (5M views/month, 200k users), I am often plagued by targeted cyber attacks. Over the years many of these come from privacy enhanced networks (eg Tor, Mullvad, etc). I have approached Mullvad many times with abusive user reports which they seem to simply ignore. How do you plan to address this in your product? Will you simply allow bad actors to abuse the internet via your service? Or do you have some plans to address this issue?
If the abuse is serious enough, pursue legal avenues. Otherwise, these types of companies shouldn't be unmasking users based on a random persons assertion that someone is bad. That would be an abuse vector itself.
I am not asking them to. I am asking them to do a better job of bad actor detection and banning. Their current stance seems to be “ignore all packets, log nothing”. In my opinion they should be doing some amount of AI based abuse detection. This should be possible without violating user privacy.
> I have approached Mullvad many times with abusive user reports which they seem to simply ignore.
What would you like them to do? Considering that AIUI they outright don't log or monitor users at all, I can't think of anything they could do with your reports.
Yes that is the crux of the issue. However many times when I reported bad actors to Mullvad the attacks were multi day attacks that were ongoing. It would have been trivial for Mullvad to add a filter to check for future packets from that VPN ip to my server IP and flag the associated account. However I believe even this approach is far to manual and invasive. I think there would be a better way using AI to analyze abuse patterns, and automatically flag bad users which match these patterns.
The issue is that VPN providers have zero motivation to do this, because a non-zero percentage of their user base is literally paying them BECAUSE they can use the service to attack other servers with a level of anonymity. If the VPN providers were to combat this issue it would negatively impact their revenue.
> It would have been trivial for Mullvad to add a filter to check for future packets from that VPN ip to my server IP and flag the associated account.
In other words, to break the fundamental premise of their product and identify traffic to a user.
> I think there would be a better way using AI to analyze abuse patterns, and automatically flag bad users which match these patterns.
Not without, again, creating an entire system which exists only to record traffic and tie it back to users.
Basically, both of your suggestions amount to "stop providing the product that is their entire business model", because the whole point is that they go out of their way to avoid having the information that you want them to use.
they can't have AI detection or any other thing to help you. Simply put they can't help you.
If they have to , then they aren't that private.
And they are in the business of privacy.
I wonder why threat actors are abusing your website ? I think you have also used cloudflare anti DDOS ? so the problem isn't DDOS , then what exactly is the problem ? are they signing up and abusing your free service or something like that ?
I can understand that concern, and I think in the future some version of [Privacy Pass](https://privacypass.github.io/) will allow for site operators to differentiate between normal vs. abusive users without relying on IP reputation (which is more unreliable anyway since CGNAT is a thing).
We typically don't ban IPs for the very reason mentioned here (CGNAT is a very real thing and we have many users who share IPs). However we do ban IP ranges associated with VPNs that we see an excessive amount of abuse from. I might be an outlier on the internet, but if you take the stance you have outlined above, that you will effectively do nothing to combat the level of abuse from your network, you inevitably hurt your honest users because some web services will be unavailable to them via your VPN.
As a long term user of Mullvad, I appreciate when new companies try to innovate on existing ones while acknowledging their value.
While I have no interest in changing VPNs right now, I will keep an eye on Obscura. Hope you the best
In theory, there could still be a possibility to track through the retailers who bought which one-time code (or have particular buyers be sent particular codes). But Mullvad also simply accepts cash by mail.
There's a new privacy focused entitlement proving thingy now. The first implementation is by cloudflare I believe but Kagi also just went live with it. The name escapes me at this mobile moment.
Doesn't matter if you use Windows / Mac because it will ping their services before you jump on the VPN and it will know the before IP and the IP after. :)
And with the recent Debacle of Snooper's Law apple e2ee backdoor.
Let me tell you something. A company is asked for a backdoor and they are forced to not tell anybody about it.
The only reason why it was leaked was because of whistleblower. And so , who knows if they have already signed such thing with the NSA or UK already but for their mac's and other devices
Hell, I honestly believe the NSA does not need a backdoor anyway. They have some absolutely frightening people working for them. I believe some of the best of the best.
I do not believe there is such thing as privacy from such organizations. If they want you bad enough, they will get you. Don't have a reason? They'll make one.
Do you remember the "Heartbleed" exploit in SSL many years ago? There were allegations that the NSA knew about and used that exploit for many years before the public ever knew about. However, that is not exactly an easy statement to confirm nor deny.
Edit: I also wanted to add something I remember from a talk I saw with a person who once worked for the NSA. He was intentionally only talking about surface-level concepts, but he did mention that the one thing the NSA has, that most do not, is unlimited time and patience.
He said something along the lines of how they can just sit and watch a server, for example. Say that the server is on version 1.0.0 of whatever. Well, the NSA can find an exploit in version 1.1.0 and keep it under wraps. All they have to do is just wait. The second the server is upgraded to 1.1.0, then boom, they're in.
He also used the example of BYOD ("bring your own device") in workplace settings. Say they cannot can entry into somewhere. Well, if they can compromise someone's personal device, then they can just wait. The second the personal device connects to the network they want/is in close enough proximity to the network they want, then boom, they're in.
Be it one second, one hour, ... 10 years, etc.. They can wait. All it takes is one brief instance of a hole in the defense.
Truly some boogeyman level stuff, but I just hope they use their powers for good when possible. Though, I imagine plenty of other countries also have similar "arms race" abilities, which does complicate matters.
Some days, I just want to get a cabin in the woods, and get away from all this dystopian technology.
You want to live in a cabin in the woods , I kind of am.
While I was writing this message , I was roaming out side in the street , my street isn't developed, so there is a lot of empty space 2 sides of my house.
I saw a peacock flying & sitting in front of my house. It was so majestic. It's wings when they fly , the sound they produce is such majestic that it touches your mind.
The solution isn't a cabin in the woods , the solution is living in such remote area like I live , seriously I am not that far away from the main town , but still this place is so nice I just realized but development would come , and houses would get built. Then there would be no more peacocks flying in.
I really get what you are feeling. But I believe that getting away from dystopian technology is far more easier by degoogling with grapheneos or getting a dumb phone like me & linux with sandboxing each applications ,I do think that we can get far away , like they would need to find a bug in such things like qemu , pledge , flatpak etc. though I think they might already have found a bug in some version and like you said, are waiting.
The only solution I can find is to read the source code of these sandboxing applications on linux and to never update it / it should be such that doesn't require updates , a completely minimal sandboxing solution.
How can we imagine they use their powers for good , when the president has handed things over to oligarchy who want maximum profits. What benefit do they get from using their power for good ? None. I am sure that they are using the power of both good and evil.
Also I had read somewhere about a really strange conspiracy theory which really made me question if we can really be against government and big tech (since "lobbying" is made official)
but if 5 eyes (the billionaires?) really wanted (heck only if UK + australia wanted , australia police is given the ability to remotely plant data in nation's interest and uk also is getting apple to force data to be leaked in the apple ecosystem and who knows what else. Its only a matter of time that they put 2+2 together (or they have?) and use it to plant CSAM (yes NSA has distributed CSAM for the purposes of catching people , so I wonder if such 5 eyes also have these , please hackernews moderators just because I have mentioned CSAM , don't remove this comment I suppose)
and carrying CSAM is a serious offense and you will get into jail for it. and the jail prisoners aren't kind to CSAM convicted prisoners and they would bully them immensely , maybe even cause them to suicide or just make their life hell.
I have friend/old-coworker that left my current employer for our state's version of the FBI. While no worker in his agency handled CSAM cases full-time, they all have to do rotations.
There is a lot he could not tell me about the work he did, and how they managed the detain suspects. But I do remember him telling me that he witnessed things that he thought were not even possible. Considering we were both developers, I take his word for it.
Anyway, I once asked him, "What is stopping you all from beaming CSAM on a person's computer, and then targeting that individual?" He paused for a second and said, "Well, we would never do that..." I asked again, "Sure, but what is stopping you all from doing that?" He said, "Well, nothing... but we wouldn't do that..."
Right then, my heart had this sinking feeling. While he is probably right, it did instill a sense of "Well, you never know..." in me. Do I believe most people convicted of CSAM are guilty? Absolutely. Everyone? Perhaps not. Still, good luck convincing a tech illiterate jury of your peers that "the government did it to me!" As far as I am concerned, once charged with such crimes, one is guilty until proven innocent.
I have always believed that if 'they' want you bad enough, then they will get you. By 'they', I mean any of the powers that be -- government, organized criminals, etc..
Dude , I am not kidding , but this gave me so many goosebumps.
Goosebumps on my f'ing face.
And I was thinking this on 5 eyes level but you are saying a single country can do that?
When I had discovered that conspiracy theory which I now believe is true to some degree.
I then used to think, what if they want you to believe that you hold a chance. They don't want you to know they can get you as you are saying it. They want to give you the illusion of freedom. They will target their opposition , journalists with this if all goes south.
There are also secret courts.
May I ask , if they can always get you why don't they use this in making their opposition go poof. If I am being extra conspiracist now , is it that they want you to give the freedom b/w 2 systems both of which don't change things really that much. Both political parties are kind of the same thing
but dude what the actual fuck.
They can use csam to break general encryption by saying it's bad for children etc, they can use csam to punish those they want.
I am now seriously wondering if I even have real tangible choice in the government.
I am now wondering if I am literally living in 1984. What if these wars and shit are just a distraction , yes they happen but...
Dude I have come to a realisation, I am seriously living in 1984.
Reward is given to those who comply , those who aren't skeptics , skeptics are brushed off as conspiracist.
