Comment by gameoverhumans

3 years ago

You can pay for the service by mailing them cash: https://mullvad.net/en/pricing

They run servers with no hard drives: https://mullvad.net/en/blog/2022/8/1/expanding-diskless-infr...

31 comments

gameoverhumans

Reply
vinay_ys  3 years ago

You cannot hide from governments. If they want you badly enough they can track you anywhere. So, don't do anything illegal and expect any VPN to protect you because paid in cash! Remember, all governments have secret national security laws to surveil all data all the time and almost all governments' (even supposed enemies) secret national security agencies cooperate if they badly want to catch someone.

You cannot hide from advertisers if you use a smartphone with apps. App developers who put ads within their app control the apps behavior completely and hence they can fingerprint your device and track you very well without using IP addresses. And within browsers, they can fingerprint you through many javascript features of the browser. Hiding your source IP does very little for your privacy.

Almost all traffic (apps and websites) are encrypted via TLS (https, for example). So, even if you are on an insecure network, unless your OS's TLS certificate store is compromised, your communications are encrypted and protected against snooping from that insecure network.

Also, even on open wifi networks, today, it is very unlikely that the wifi is running without at least WPA2 encryption. Most modern airports run secure wifi. (But they also monitor all traffic metadata for illegal activities).

So, using a VPN as an exit node is just privacy theatre. VPN exit nodes in faraway countries are useful for bypassing content censorship in your own country, but it works only if the content streaming service cooperates with you.

Remember, all ISPs are heavily regulated by governments and can be asked to mirror specific customer's traffic for analysis. I would be very surprised if they don't proactively do it for all VPN operator nodes by default.

  • whimsicalism  3 years ago

    > You cannot hide from governments.

    Plenty of people have and I would rather they have to spend a Tor 0day amount of cash to do it than to do it trivially.

    > You cannot hide from advertisers if you use a smartphone with apps. App developers who put ads within their app control the apps behavior completely and hence they can fingerprint your device and track you very well without using IP addresses. And within browsers, they can fingerprint you through many javascript features of the browser. Hiding your source IP does very little for your privacy.

    Sure, if you have sketchy apps, but Apple has both legal enforcement and approval of apps.

    > So, using a VPN as an exit node is just privacy theatre. VPN exit nodes in faraway countries are useful for bypassing content censorship in your own country, but it works only if the content streaming service cooperates with you.

    ...? They can't trace where your requests came from....

  • ballenf  3 years ago

    Are there browser plugins that can "fake" your browser fingerprint somewhat? Like, e.g., only showing OS default fonts installed, or fixing screen dimension info, etc? Or would this require forking a browser's code?

    Maybe futile, but I'd still consider using it.

dharmab  3 years ago

Not just no drives but, but also no logs, and per their last audit they're working towards no administrator access to the shell.

foobiekr  3 years ago

The cash thing is awesome and good for them.

That said, I don't know if Mullvad is good or evil, but one of the ways you can evaluate companies is to recognize when they're making sketchy, not-relevant claims to create an air of legitimacy.

This "our servers have no disks" thing is kind of thing is marketing. It is meant to imply something that it doesn't actually demonstrate. Who cares if there are local disks? It doesn't change the threat model at all, it's mostly to convince people who don't know very much about claims which are basically impossible to prove. It's the higher-tier version of "we use military grade encryption."

Lawful Intercept on the public internet does not rely on local hard drives on any node in the network and has not since the 90s, as a specific example of how meaningless this is.

  • whimsicalism  3 years ago

    I disagree - while it does not prove they aren't doing something nefarious, I think it is easier to demonstrate that you aren't logging to network calls than it is that you are accidentally spilling something to disk.

  • dharmab  3 years ago

    In Sweden, physical search of the drives is a real concern. The Swedish national police attempted to search Mullvad once, but since there was no data to seize they left empty handed.

  • kfreds  3 years ago

    > one of the ways you can evaluate companies is to recognize when they're making sketchy, not-relevant claims to create an air of legitimacy.

    This is an excellent heuristic. Personally I like to evaluate trustworthiness in terms of integrity and competence - can I trust their values and can I trust that they know what they are doing? Words are cheap of course. Consistent action across several years is much harder to fake. It also overlaps with another heuristic I use to model and predict the behaviour of a company; a company's behaviour will converge on the shareholders' goals over time.

    > This "our servers have no disks" thing is kind of thing is marketing.

    You are correct that we considered that aspect while writing the blog post, but please read the content before passing judgement. See the section titled "To recap about “no disks in use”" in particular.

    On the topic of "air of legitimacy" I'll just leave these here:

    * Our apps have been open-source since we launched in 2009

    * Our response to Shellshock: https://www.sigsum.org

    We're certainly not without fault, but hopefully this helps inform your opinion of Mullvad.

    Best regards, Fredrik Stromberg (co-founder of Mullvad VPN, Tillitis, Glasklar Teknik)