And it's all open source btw. https://github.com/system-transparency/stboot
Tangential to this, it always irks me how they talk about how they all act as if the majority of the websites their users are going to aren't HTTPS and they act like their main benefits are filling in the gaps that HTTPS actually fills in.
HTTPS isn't a cure all by any means but most of the scare tactics that the big VPN companies that advertise via YouTube act like anyone will rip you credit card because you happened to be on Amazon while you were at the coffee shop.
Tom Scott is the only person I've ever seen have a great video about this [0]
I hear most of them saying "Don't want your ISP spying on where you're browsing? Use a VPN." Which HTTPS does not cover.
In terms of diskless, I've run 25k+ iPXE deployments on diskless blade servers using a highly customized Ubuntu, and it was fantastic.
Regardless of OS choice, being diskless is also quite nice... if there was a security issue or you need an upgrade of some sort, you just reboot. Only thing is that it takes a while to reboot 25k servers... even on gigE. It was a bit of work to build the scheduling system to make that happen reliably, but it worked out quite well.
Even better if you had boxes with 10 gigE and the smaller image. Would take your times down from like 6-10 hours to 1.5 hours.
Also, I doubt a full 25k restart all at once you probably had underlying applications that expected rolling, blue/green or even % or nodes that can go offline at once.
Last time I managed a small «supercomputer», 50x IBM blades running Suse, it wouldn't support PXE/NFS without kernel customization, but that would void support contracts and finicky third-party software. Made a switch to FreeBSD, where everything worked out of the box one hour later. That was over 15 years ago, I have no idea how much the situation changed.
Let's say a pedophile uses Mullvad to get forbidden images, isn't the VPN liable?
I mean, the law enforcement will see that the IP was from Mullvad's office, so I assume they are the ones doing it? How do they avoid this?
It is a real doubt. Maybe stupid, but real.
The feature is called Perfect Forward Secrecy, and protects past flows from later key compromise.
Wireguard supports this, which is what Mullvad uses. (For some reason, speculation about which is an exercise left to the reader, WPA in Wi-Fi still does not.)
(That being said, I think having your RAM frozen to extract ephemeral secrets is firmly in the “fully hosed” threat model, and is not a realistic model for 99.9% of users to plan for.)
You can enable SME in the BIOS on all AMD-based business laptops and AMD EPYC servers.
1. https://www.amd.com/content/dam/amd/en/documents/epyc-busine...
> When servers are rebooted or provisioned for the first time, we can be safe in the knowledge that we get a freshly built kernel
Any info what’s the period of time doing so? Do you provision them every day, week? An hour maybe? The more the period the less chance of some attack vectors.
Most VPN company advertise they do not keep logs of your browsing...
Which would be in infraction with european and american laws.
So I don't what to think of diskless VPN.
Wouldn't using a disk in read-only mode accomplish the same thing?
Third-party audits are a scam to begin with and don't prove anything.
The custom server is a niche security point. While every server is continously researched and patched, we cannot expect the same from a a server like this. If someone were to find a security hole, an attacker would purchase it and no one else would ever know the system was compromised.
But, if anything should be a decentralized anonymous crypto-paid service, it should be a VPN network.
Centralized VPNs are still a single point of failure privacy risk. We have to trust they don't share our identity/account info and activity.
I am surprised dVPNs are not THE first rationale given for crypto. I.e. since separately and together they (ideally) have a clear comparative advantage over other alternatives for strong privacy.
A performant global open-standard dVPN could become an indispensable layer of web access.
I also wouldn’t be surprised if it’s a performance benefit, since RAM is far faster than any permanent storage.
The cons are probably just that this is a pretty unusual architecture that they probably had to put some work into setting up and making it reliable.
But, obviously, that's pretty insane. Agree with everything that this is a big leap in the step of better protection for users.
There may inevitably be some bad actors.
But then there are other companies like OVPN who proved in court that when they say no logging they mean it[1].
Edit: Forgot to mention backdoors built into basic technologies they may already be using – like the Cavium HSM thing that came to light earlier this week.
Frankly VPNs don't protect you from anything other than the most monitoring systems and the occasional public wifi connection. They're really just glorified Netflix region proxies and nothing more to most people
Like, how would that even work? Without a court gag order, gossip would make its way out of the building in weeks. The cell phone shit only was only quasi-secret because only police department employees were involved, something that's impossible for these VPN outfits. They don't get any of the (unjustified) privilege that the CIA or NSA (or even the FBI, sometimes) receive.
Anything I might do that could pique the curiosity of law enforcement is definitely below the level of federal intelligence agency interest. Maybe your life is more exciting though.
Sweden absolutely has LI requirements for all telecom gear but vpns I have no idea.
What you've described, to me, is the VPN logging customer activity and then sending it elsewhere to be stored.
Commercial VPNs typically run on rental servers -- usually a mix of the major cloud providers and smaller hosting providers -- and in my former company's case, using dedicated hosting (bare metal where available). Steps were taken to restrict access for physical actors, but ultimately, the mantra's always that physical access basically guarantees data access on a long enough timeline if you assume there's a bad actor in the mix.
That said, to the best of my memory, there were no indications of this kind of data siphoning happening without our knowledge, and we absolutely didn't take part in it ourselves knowingly. Occasional requests would come in from various international law enforcement orgs, and every time they'd be replied to with a message about how we don't store user records (which was a truthful reply AFAIK).
The biggest challenge for us was competing with some of the newer actors in the space, taking advantage of deceptive marketing and engaging in (IMO) unethical business practices for the sector:
- Claims of "no logging," even backed up by audits, are only ever point-in-time measurements, and may not reflect reality if the VPN provider approaches the auditors in bad faith (say, with a sanitized code base); a good auditor in my experience will refuse to make this claim in the report
- Claims about having the corporate HQ in one country making it immune from the laws of countries they operate servers in (this is deceptive marketing; failure to comply with laws will get you shut down, and at my old employer we'd make calls about whether to just drop our server presence in a country entirely in response to local laws and political happenings)
- Commercial resale of user data is (allegedly) rampant among many of the newer providers you see constantly plugged on Youtube. This isn't helped by the massive consolidation of the VPN market under just 2 or 3 holding companies.
I won't name names for the companies I mentioned above, but my recommendation is to adjust your threat model from "nation-state level surveillance" to "commercial data resale just like every other web service."
As far as data collection went for my old company: we collected system metrics like resource usage over time, and kept minimal sanitized logs to help diagnose any production issues that'd come up -- basically the absolute minimum amount of data we needed to keep the service operating smoothly. I have every reason to believe this is an industry norm, since otherwise development and troubleshooting would be nearly impossible.
Anyway, there's also the looming "threat" (lol) of HTTPS and encrypted DNS proliferation and improvement making the core use case for commercial VPNs obsolete. I think anyone who's spent a bit of time in that industry realizes that the business model isn't long for this earth as a result, so I suspect many are trying to milk the industry for all it's worth. Personally, I'm all for HTTPS and encrypted DNS proliferation, and I'm also hoping more and more commercial public networks start using virtual private subnets and other device isolation features to make it even harder to abuse coffee shop Wi-Fi.
For a lot of people the core use case is accessing Netflix in a different country!
If you live in a country with detailed data retention laws, this massively changes the shape of the graph: rather than your computer connecting via HTTPS to lots of other IP addresses, it only connects to one, which a large number of other customers do too. The argument then goes that there's enough inherent jitter and generic "chaff" on the internal network to make it very hard to deterministically work out if one of your packets going in to a popular service is the same as that coming out at any moment in time; the greater the traffic of the network and the provider the better the statistical protection becomes as the packets become indistinguishable.
This, and the fact that it represents a giant "no thanks" to dragnet surveillance, is arguably a good reason to just put a VPN on your router (as many people do).
Honestly I don’t think audits are worth anything. But it’d be a huge conspiracy to mess with so many parties.
In this sense, they're valuable. As someone working in software, I can figure out if the bugs were subtle or blatant, which is often a good proxy metric for the competence of the team behind the product. Are the same bugs cropping up year after year, even if they've already been previously fixed in other parts of the code? Again, a good red flag to use there.
Audits do not and often cannot cover things like "is the company reselling connection/user metadata to other companies," though, and in most cases consumers will care that there is an audit rather than caring what's in the audit.
I frankly wouldn't be surprised if it's actually happening.
No they can't, because THEY are still logging.
Running a production-grade service with zero metrics and logs? If there's an outage, or even something as mundane as a VM failing to provision, you're telling me that Mullvad developers just shrug and say "well, we can't do anything, because there's no logs!"
I don't use a third party VPN, but if I wanted to, "we deliberately eschew all observability" is not a positive selling point.
Ditto for logging. They claim to not log activity over the VPN itself, but I don't see any claims about not logging more mundane infra stuff like "a VM failed to provision". I think you're arguing here against claims they aren't making.
Logs can similarly be of system events only.
> However, had they taken something, it would not have given them access to any customer information.
> These are the national laws that makes it possible to run a privacy-focused VPN service in Sweden:
This is my fear.
The more significant concern is if you are the other side: if you deliberately run some sort of VPN or other proxy that others can use, or less deliberately do so. Many hacked or otherwise suspicious browser add-ons, and other malware, will make HTTP(S) requests & other connections on behalf of their C&C hosts and to your ISP or anyone else those requests will be largely indistinguishable from those that are the result of your activity.
You need a VPN that actually cares about your privacy and goea the extra mile to ensure it. On top of that if the VPN service does not know who you are how can they actually tell the cops. On top of that you don't need to explain it to the cops - if you are ever accused this should be done in a court of law where we understand what ips are (heck, even some cops understand it - it's not exactly rocket science nowadays)
> A decentralized VPN is a distributed VPN service where volunteers supply your VPN servers instead of a single company – but paid by crypto. Like with regular VPNs, you have to trust that the VPN server isn’t monitoring your data. But instead of there being a single VPN provider company behind it all, you have to trust that none of the thousands of server volunteers are spying on you.
Is this a correct understanding of dVPNs? Is there a rebuttal, especially to that last sentence?
You have a network of VPN point providers. As you communicate, data can be sent through any series of points.
Data is encrypted end-to-end, and the addresses for the point providers are also encrypted so that each point can only decrypt and see the next point to forward data to.
So each point knows where data last came from, and where they are sending it. But they don't know:
1. Which step of a chain of points the data is at.
2. If they are the first in the chain (i.e. the "from" is the source)
3. If they are the last in the chain (i.e. the "to" is the destination)
And (as long as two or more points are traversed, which would be always), no point ever has access to:
4. Both source and destination info.
Finally, since payments to each point are handled through a combination of peer-to-peer point bookkeeping, and a crypto block chain account, no point ever knows:
5. Any identity information about who uses the VPN.
6. Any way to identify activity over time that is related.
Acting as a point, as well as using the network, serves to further cloak activity, as being from you vs. passed through you.
And an alternative to crypto payments, would be earning usage by providing point service.
EDIT:
> so I searched and found https://surfshark.com/[...]
Any VPN provider that is claiming decentralized VPNs are a greater risk is either misinformed, or willing to misinform users.
I wouldn't trust a VPN provider from either category.
Actual reasons to not use a dVPN might be that it is a work in progress, not supported well, its source code is not open, or not yet vetted by experts, too slow, not many points yet, etc.
so it should be tor?
Third-party audits prove something. They don't prove everything.
This was effectively 25k PS5's... much more powerful now.
I did not have a choice over the hardware design.
Each worker was individual. Underlying application didn’t care.
We had a couple full power outages. They were set to boot automatically. So yea… full restarts.
And that would be the next most interesting post, imo. A post about how they metric and log in a RAM-only environment while obscuring or obfuscating the details that could lead to “compromise”. Even if the answer is something so simple like “we regex and discard this out”, I would feel more trusting of their services.
I think they just mean ephemeral.
First audit, from 2019: https://my.purevpn.com/pdf/Privacy_No_Log_Audit_Report.pdf
I tried to contact the auditor, Altius IT, in order to confirm whether exfiltrating connection data to a third party would result in the audit failure. They replied, but in a very vague way (refused to answer any questions regarding Altius IT's audit of PureVPN's environment). Well, at least they confirmed indirectly that the audit did exist.
Second audit, from 2023: https://www.purevpn.com/wp-content/uploads/2023/07/KPMG_Pure...
I tried to contact KPMG to verify the authenticity of that report, and also asked the same question - "whether deliberate real-time exfiltration of origin IP addresses, assigned VPN IP addresses, connection timestamps, or connected user activities to a third party by PureVPN, without PureVPN (as opposed to that hypothetical third party) storing anything locally in any form of logs, would have constituted a failure of the privacy assessment." Result: no reply from KPMG at all, so I cannot be sure even that the report indeed comes from KPMG and is not a fake.
The ideal way to authenticate audits IMO would be for the audited entity to link back to a PDF or other report hosted on the auditor's site.
With encrypted DNS you're just shifting the burden of data privacy away from the local network to the DNS operator. How you determine which operators to trust will probably vary from person to person.
Anyway, the major difference here would be that a VPN will encrypt all traffic in a tunnel, from your DNS requests to your actual followup web requests. On the flipside, you may use encrypted DNS to look up records for a domain that serves content over an unencrypted connection.
But we do still have to trust that they are actually running the code they posted.
Unless that code somehow contains some way to verify itself?
I wonder if there is some way to do that? Have the code include a hash of itself and some way to query the running service that guarantees that the running service must be running the code you are looking at?
At first glance it seems any response could always be faked, but maybe there is some cryptography trick where you submit something, like an encrypted copy of the public code maybe, and it crunches and returns something, and that somehow proves that the running code you can't see must be the same as the code you can see.
Depending on how the protocol for the challenge works, that could still be faked. The challenge has to somehow not be seperable from ordinary traffic so that you can't have one piece of code handle the challenge and another piece of code handle other traffic.
- Multi-party computation. Too much overhead for something like this.
- Remote attestation, as seen in e.g. Intel SGX. Usually provided by the CPU vendor. Not a cryptographic guarantee, more of a "it'd be very hard to defeat this if you're not Intel". Probably not that warrant-resistant.
Hypothetically, you can rewrite the firmware for the IPMI with a backdoor and extract data.
Hypothetically, you could kidnap the family of a developer and force them to add a surreptitious side channel for exfiltrating data.
Hypothetically, you could run the universe in a simulator and use the simulator's controls to read data from RAM in the simulated Mullvad servers on the simulated Earth.
If you don’t think they look forward to those cases, I think you’re the one who has read them wrong, not me.
'If it's illegal to advertise that you've received a court order of some kind, it's illegal to intentionally and knowingly take any action that has the effect of advertising the receipt of that order. A judge can't force you to do anything, but every lawyer I've spoken to has indicated that having a "canary" you remove or choose not to update would likely have the same legal consequences as simply posting something that explicitly says you've received something. If any lawyers have a different legal interpretation, I'd love to hear it.' --Moxie Marlinspike
I've always felt that the warrant canary is a nerd's gotcha designed to get out of a sketchy legal process (NSLs) and that judges would be very unsympathetic. But IANAL.
What if they have one like this quarterly canary at privacy-forward "write.as" last updated 9 months ago?
It should be noted with significance if this message
fails to be updated on a quarterly basis.
2023-01-05 21:06:06 UTC
No warrants have ever been served to Write.as, or
Write.as principals or employees.
https://write.as/privacy --> https://write.as/canary.txtYears ago I handled fraud cases for an e-commerce site with local police, at some point they started asking for IP and port numbers for the offenders, rather than just the IP. Turns out that one of the cellular phone providers had basically run out of IPv4 addresses for their 4G network and did some NAT solution. If you didn't have the port number the client had connected from then they could only tell you which cell tower had been used, not who the customer was.
Some kind of economics are needed to over come the fact that there are only a few thousand Tor nodes [0], making it relatively easy to compromise the network by any entity willing to pay for a couple of thousand nodes [1], which is a bargain for any intelligence service.
I.e. Tor is pretty safe, but because it’s volunteer, it is also a bit of a honeypot.
Now take all the money people spend on commercial VPN’s, and anonymize accounts while making some privacy first crypto actually useful to the general public.
Millions of nodes, or tens of millions.
The benefits come not just from linear node path anonymity.
By spreading traffic packets in parallel across different paths, and geographically, so it’s near impossible to track anything useful even with a lot of compromised nodes.
Assuming you have a LOT of nodes.
(Geography here meaning Internet topology, verified by minimal latency.
Topological information for millions of nodes will help keep latency low, while increasing the number of nodes in each path, for a better security vs. latency trade off.
So nodes could be incentivized to locate and scale based on topology & usage.)
If there is a way to make Tor anywhere near that secure a lot of people would like to know how.
Economics matter, and this money is being spent already.
[0] https://metrics.torproject.org/networksize.html
[1] https://www.makeuseof.com/tor-exit-nodes-spying/#:~:text=A%2....
Once DIMMs are seated, secure the ends with superglue, then brush conformal coating over the bus traces.
The second step is likely not even necessary if the motherboard is a 4 layer pcb with traces in the middle.
Even cellphones...you want them running decrypted, but inside a Faraday cage of some kind to block remote wipes.
When a company, who already has a canary in place, receives this kind of warrants, what _can_ the company practically do to comply with non-disclosure? It seems that lying is now the only option left, if the company must explicitly post a "no, we didn't receive such a warrant".
The degree of which these should be scares is not equivalent, yet browsers will treat all of these as equivalent even though they can distinguish between them in the error page. It just results in clickthrough fatigue, where technical users just ignore the warning because it's not worthwhile to deal with even when they really should.
Plus a VPN won't protect you from a malicious hijack, it just prevents them from grabbing your IP address.
The difference between a misconfiguration and a compromise is intention, both should be treated as equally suspicious.
The only two valid usecases of big VPNs like these are
1. Very mild security increase over public wifi 2. Shifting your risk from the ISP spying to mullvad or the VPN provider spying or slightly anonymizing if mullvad rotates IPs.
(2) is a real benefit because ISPs are pretty terrible, but it's still pretty minor in the grand scheme of most people's threat models.
4. You live in a country where certain websites are blocked because the government doesn’t agree with them, or because those websites don’t want to deal with your country.
I couldn't imagine clicking past one of those warnings to login to my bank or even amazon.
As far as I recall this is not possible on Chrome if you are MITM'd. If the cert presented doesn't match the cert in the HSTS cache, there is no option to bypass. If the server's cert is expired, then you do indeed see the option, but an expired certificate doesn't necessarily mean danger.
But to run dd wouldn’t you need root access? And couldn’t you use that to dump the FDE keys from memory?
Unless you're in the UK, in which case: "You do not have to say anything. But it may harm your defense if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence."
The parent comment implies that in such a case “no comment” is not compliant with the law, as it informs the inquirer.
Hence the only way to comply is to answer “no”, which is a lie.
A number that rounds to zero in the 21st century is the number of people who have been randomly cancelled. You can disagree that it is proportionate to their offense, but z e r o people were just sitting around and woke up a) in the public eye and b) were completely and entirely good people who were maligned needlessly in a permanent way.
It is in no way a real concern for 99.9999999% of people.
The difference between a canary and a "no comment" is that "no comment" is an extremely common thing to say whether an allegation is true or not so it's not very suspicious, while stopping a canary is very suspicious.
So it's like the scenario you outlined earlier, but more effective.
If you think "no comment" means either yes or no, you're pretending to know something you don't, and you should absolutely stop and go "wait, why am I lying to myself? And why am I believing my own lie?"
Demonstrably false. There are a significant number of individual cases I could mention off the top of my head. If you want a whole bag of them to look at in one go, read up on the NOTW “name and shame” campaign which resulted in numerous entirely spurious accusations, and actual vigilante attacks as well as legal investigations. The court of public option can be a concern for all.
> b) were completely and entirely good people
On a slightly more facetious note: if anyone claims to be absolutely 100% totally good, someone somewhere will disagree :)
There is no objective definition of good that all will agree on, and even if there are none of us are perfect our entire lives.
Nobody has been cancelled randomly, and I genuinely pity people who go through life fearful such a thing could happen to them.
You're the one that said no comment was suspicious! I said something weaker than that, that it's not very suspicious.
I'm not the one that said a canary failing is a yes. I said it was significantly more suspicious than a no comment.
If it's about what powersnail is saying, I think they're just wording things imprecisely. The canary doesn't actually affect the meaning of "no comment". The canary means that if it disappears, things are very suspicious, and if ask directly about the canary and get a "no comment" then you not only stay very suspicious, you also know they didn't forget. The no comment itself is not a "yes", but from a security point of view you should treat this active lack of canary as if it is a "yes".
Which they referred to as a "practical/tentative yes". Which I think is a reasonable way to describe the situation. It's not "flat out wrong" or "counter-productive".
> so even if it's going to lose you some customers, no comment
You're going too far here.
If you used to comment on something, and you could easily comment on it, and it loses you customers not to comment... you should comment. If you don't, it is suspicious.
You: “It happens to a small number of people, there are many many more people than that, so it averages out to effectively zero, so no one needs to worry”
Me: “Toe stubbing only happened to a small number of people, there are many many more people than that, so it averages out to effectively zero, so no one needs to be careful about their feet”
HHGTTG: “the volume of the universe is infinite there must be an infinite number of worlds. But not all of them are populated; therefore only a finite number are. Any finite number divided by infinity is zero, therefore the average population of the Universe is zero, so the total population must be zero and any people you may meet are just figments of a deranged imagination”