Thank you, Mullvad team! This is quite literally the only feature I've been wanting. Everything else works well. Bandwidth? Excellent. Apps? Excellent. WireGuard? Excellent. No form of KYC required, period? Excellent. Payment options? Excellent.
I hope I don't live to see you turn into every other shady VPN service.
I really like mullvad's service too (wiregaurd)... My only issue is that is seems to have become increasingly difficult to access many websites through their servers.
I suppose this is inevitable to some degree with any VPN service, it's part of the deal for more privacy, you have to share an IP with potential sources of abuse. But it seems to have gotten really bad recently to the point that I end up server hoping throughout the day because different websites will have blocked different mullvad servers - to complicate matters some of their newer server IPs hosted by another company are misidentified as russian and blocked by many sites and services.
I'm not blaming Mullvad, but it's changed my use of their service from a set and forget to a constant reminder that i'm on a VPN... I don't know what the solution is beyond some crude cycling of IPs.
The way I see it, websites like that are saying they’ll only do it without a condom. You want it real bad, so it’s tempting to try to bargain about it, or maybe just take it off for now - it’s just a little while, what’re the chances it goes wrong? - but we all know that the smart move is to keep it on or back out entirely. Reasonable partners, of which there are many, understand and cooperate. And ones that don’t aren’t the type of partner you want anyway.
> My only issue is that is seems to have become increasingly difficult
to access many websites through their servers.
Welcome to the world of Tor users. People who value online dignity
need to work together against privacy hostile web technologies. My
present bugbear is Cloudflare, who seem to do a lot to disrupt privacy
respecting technologies. Ultimately though, the power lies with web
service designers. One can no longer pretend "I didn't know" when
turning over delivery to some cheap (free) but shady CDN who then
blocks millions of legitimate users because they don't want to be
tracked and spied on.
Yea problem from an admin perspective is that all malicious traffic attempts to use privacy respecting technology. It’s more guilt by association than anything else for the legitimate users.
One of the weird realities is that in order to combat fraud you need to be able to identify the source, which is a hard reality as a privacy advocate.
HN tends to be pretty micropayment / cryptobro averse (for good reason, mostly) but I think this is a problem that crypto could legitimately solve - Tie an anonymous 'identity' to a well-seasoned (unmoved for >x time, where x = days for some things or maybe years for some things) wallet with some reasonable amount of funding in it ($100 or something) and you become 'Guy who owns that hundred bucks'. Moving the hundred bucks unseasons it. The provider only respects your claim to be an individual if you can prove you've got a pile of 100 seasoned bucks. If you do something I don't like, I can ban that pile from further interaction. Malicious users would immediately move the money around, but at least the malicious actors would need a lot of piles of money constantly moving around and 'seasoning' to create a bunch of fake individual identities, which gets prohibitively expensive at scale for all but nation-state type actors which you're not going to be able to defend against anyway.
Bam - I am anonymous, but have (mostly) proven I am a real person with (mostly) reasonably good intentions.
This is exactly how crypto solves the problem that another thread said Google was solving with your phone number. Phone numbers are expensive them say!
Its a put up or shutup kinda system. Fund your wallet with $100, hold it, and we will let you post that reaction to a news article after its been held continiusly for 30 days, and automatically delete is as soon as its unfunded.
Your talking about earned capital as a forfeitable deposit. Sure that
scheme has its place.
I joined HN for one or two reasons. To research a book. But also to
promote my last book. Anyone can post here with a throwaway, yet I
didn't want to be an interloping dick who felt entitled to hit and run
posting links to my own vanities... so I decided; join, contribute,
participate, earn. After a few months I don't feel bad about plying my
own wares a little. Reputation (social capital) is natural and ancient
and doesn't really need crypto.
Most of the Web isn't that though. As an information system, as Sir
Tim first coined it, it's a publishing machine: You advertise a
service, I send "requests", you send "responses", we part ways without
complications. Quick anonymous sex on the beach. So-called Web2.0
f-cked that massively. Web2.0 wants to exchange phone numbers. And
once the surveillance capitalist creeps latched on to stalking
everyone around the neighbourhood... well here we are.
I think what some Web3.0 people think is that crypto can repair some
kind of "middle ground", where Web2.0 type behaviours can take place
but anonymously and under conditions controlled by "stakes". I think
this won't work for psychological and game theoretical reasons we
can't get into here. Instead I think we need to repair the Web1.0
layer at least, and since transport level security and anonymity have
become necessary in a post-Snowden era, for me that means getting rid
of the selective prejudice inflicted by systems like Cloudflare.
Where do you have the information from that "all malicious traffic attempts to use privacy respecting technology."? I just checked an access.log (from a searx instance) and an auth.log for malicious traffic and it doesn't look at all like that.
ssh bruteforce top 5 offenders:
147 (Tor: 0) TENCENT-NET-AP-CN
133 (Tor: 0) DIGITALOCEAN-ASN
31 (Tor: 0) CHINANET-BACKBONE
17 (Tor: 0) BAIDU
13 (Tor: 0) CHINANET-SH-AP
Overall there where 737 unique IPs from 241 ASNs and 1 was a Tor node.
access log top 5 offenders:
76 (Tor: 0) DIGITALOCEAN-ASN
58 (Tor: 0) CONTABO
54 (Tor: 0) AMAZON-AES
50 (Tor: 0) KAZTELECOM-AS
34 (Tor: 0) CORBINA-AS
Overall there where 1672 unique IPs from 618 ASNs and 4 where Tor nodes.
Not necessarily Tor, but a VPN could be coming from any of those sources.
I spent a recent chunk of my career combating fraud on a niche-eBay style site and the people trying to defraud other users, pay with stolen credit cards, login with phished credentials, etc were consistently trying to hide their origin.
Until we started using fingerprinting techniques to track them across multiple accounts and IPs, we had no way to spot this. It was a shock to me when I realized there were legitimate uses for fingerprinting technology because I'd always associated it with ad networks and trackers. They're fairly necessary for combating fraud though.
When we stopped letting any untrusted users run a credit card if their connection couldn't be trusted, our charge backs virtually stopped. That experience makes me completely understand sites scrutinizing anonymized traffic.
Not specifically picking on you (thanks for replying) but may I
rephrase that a little and then ask something;
"Sinners look just like saints, so it's necessary to punish all, to
destroy the riches of the many in order that wicked few do not
escape."
Is that a fair framing of the "ethics" of what you said? (I'm not
attributing that as 'your' argument, I understand you're kinda just
trying to 'explain' something as you see it).
Do you think this kind of thinking can continue to stand if technology
is ever going to be fair and useful to everyone? Or do we just accept
that technology always amplifies as least as many problems and
injustices as it solves?
If an army is attacking your border and somebody walks through them saying, "It's okay, I'm totally legitimate!" that person is probably still going down in the crossfire. Enter from the direction where the attacks aren't coming from and your odds will increase significantly.
Ultimately, companies will either adopt a very strict security policy on their own or they will respond to the problems that they are experiencing. If you are a US only company and you start getting malicious traffic from Romania, it's fairly common to just block all of Romania. When you're using tools like Maxmind for network identification, VPNs and Tor are just another traffic source that you can choose to block if it's causing you problems.
What I'm getting is that you consider the "attack" an immediate mortal
threat and the granularity of tools and techniques for discerning
enemy/friendly identity and behaviour are lacking. The principle
ethical stance is really self-preservation.
> "It's okay, I'm totally legitimate!" that person is probably still
going down in the crossfire.
Nice analogy. I may have to steal that :)
Given that we can't rely on identity [1], can we improve analysis and
response to behaviour?
[1] I see in an earlier response you talk a bit about fingerprinting,
and of course anyone serious about privacy will modulate OS and browser
FPs without malicious intent.
For example, at the site where I worked we needed much stricter protection but we didn't want to bother the established users of the site...so we setup trust scores and implemented stricter controls on a sliding scale. The higher your trust score, the less strict we would be with our policies.
As a brand new user, your score was a flat 0. You could boost it by verifying a credit card, phone number and address (without using a VPN/Tor). Successful transactions rewarded your score. Transactions with established users are more valuable than transactions with other new users, etc.
All the security was virtually invisible to the established users and it worked like a charm.
Regarding the fingerprinting, at the time that we were doing this anti-fingerprinting technology barely existed. We had some other tricks in the bag too to fingerprint based on behavior. It was a lot of fun working on that stuff though. Very much a cat and mouse game.
No, because you're framing it like they're blocking or challenging every user that comes to their site. Instead, when 90% of your malicious traffic comes from VPNs/TOR, it makes way more sense to just block or challenge those specifically even if it causes an inconvenience on the ones who use those services in a non-malicious way.
True, but as far as cloudflare goes - it doesn't explain why plain, probably cached, GET requests have to be behind a captcha. If that's really an issue, can't they save it for POST requests and other non-static endpoints.
The flip side to this is to have your site hammered by bots, scrapers and worms looking for exploits (look at your weblogs sometime and see how often Wordpress php pages are requested, lol). I don’t know what the middle ground is but in spirit I agree with you, especially in keeping the internet decentralized. In practice I’m not so sure.
When configured correctly you can use most of the cloudflares features such as WAF without blocking all tor/vpn users. Requires a little bit more than just flicking the „i’m under attack“ button though.
I have my own VPN on a digitalocean droplet and it’s basically the same, I’m outright blocked from many sites (Imgur for example) and I have to solve tons of captchas. DigitalOcean doesnt accept cash so your argument doesn’t pass the sniff test.
DO has a generally poor reputation in the security industry as abuse from their services is very common - they don't really vet their customers to any real degree. The same is true of e.g. AWS which is why a lot of websites will outright block traffic coming from AWS.
The reality is that "anonymous payment" is kind of pointless, it's basically never the payment method that determines abuse potential as abusers have all kinds of ways of making payment anonymously even when only e.g. cc is accepted. What matters is the level of time and effort put into monitoring usage.
To be honest, on a pure sniff test your traffic coming from DO is probably more suspicious. There are lots of legitimate uses of commercial VPNs. There are not many legitimate users of consumer web-browsing from DO.
I think this is different.
You are banned because DO IP ranges are public and everyone wants to ban cloud IPs, since legit users don't use static VPS IPs.
I am currently hosting head scale with an exit node on hetzner, and sometimes i am banned from websites.
But back when I used contabo it was a rareity to get blocked, even though its a more "shady" host, maybe because its not as well known ?
> Online stores are more likely to flag your purchase as suspicious on the admin side(e.g the Shopify console)
I'm not sure a VPN provides much utility when you're already punching your (billing|shipping) address and CC number into a website - that is, unless you're using a drop site for your packages, which definitely will make you look like someone who has stolen CC digits and is trying to cash in on them.
Well, to give one use case example, when I'm traveling I want to access websites from a US IP address so that l18n settings on websites don't serve me in another language or metric units by default. That's one way I use VPNs that have nothing to do with trying to hide from the NSA or whatever people think they're doing.
>seems to have become increasingly difficult to access many websites through their servers.
And i, very happily, continue on without those 'many websites'. Of which, there are actually, very, very few for me.
Nevertheless - fuck 'em; and not missed.
I've had a lot of trouble with that lately. I can't connect to imgur without turning it off, and my USPS.com account got straight up banned for logging in over Mullvad, I had to call them to prove my identity.
On that note, is there a good consensus on IPv6 blocking? I know some ISPs provide a /48 while mine (AT&T) only provides a /64 to each customers. I would imagine most websites, when blocking a v6 for abuse, block the whole /64?
Wish the name was easier to remember. It opens opportunity for typo domain/app squatters to take people elsewhere.
I had to double check the spell from reliable sources.
I wonder how they plan to impose compliance on entities that have no legal presence in India, accept cryptocurrency payments, and take no PII as part of the signup process - all of which I believe apply to Mullvad.
Monero users are more likely to be the type to use a cold wallet, and a ban on cold wallets is unenforceable (especially for Monero, where transactions can't be traced) as it's kind of like holding cash, except that there isn't anything to be found physically.
The hard part is getting the monero in the first place to put in your cold wallet. The main two options are (1) use an exchange, all of which are either being monitors or blacklisted by india (2) exchange cash in person, good luck doing that in a country that is actively suppressing it
There are platforms like Bisq, which can be used to purchase BTC (although you need a small starting amount of BTC as a minimum security deposit) and then used to swap into Monero. It is both tricky to monitor and difficult to block as it works over Tor. Although I suppose having to go for something so 'exotic' just to privately buy crypto is in itself going to turn away a lot of people.
I thought it doesn't matter if it is known you bought Moreno. When you spend it, that spend can't be traced back to you? Wasn't that the whole point of Moreno?
But if India makes it illegal to obtain monero, then you won't get to that second step of getting to use it. Controlling the on-ramps seems to be the easiest way to regulate crypto, as we saw when Canada started cracking down back in February
If you're able to exchange rupee for another currency, you can always mail the cash to them. I admittedly don't know how feasible or how difficult that is to do though.
> Is there any government in the world that's currently able to enforce such laws?
People talk about crypto like offshore bank accounts and cash never existed.
How does the revolutionary leader of a Sub-Saharan country who suspects the deposed leader has funds in an offshore bank account in a jurisdiction that doesn't even recognize the incoming regime get the money? Violence.
In hyper-legalistic societies like the U.S., yes, the police may sometimes have trouble finding proof that survives court scrutiny. (Though I'd guess most people aren't practicing good opsec around their crypto.) But that isn't most of the world. I don't see the Indian police having any trouble arresting and searching someone on reasonable suspicion of operating a hidden wallet.
Since Mullvad doesn't have any servers in India, they should be unaffected, right? I confirmed it with their support, they said it will not affect their users.
Monero is about to go through a hard fork and significant upgrades, like trading XMR to BTC and back without a centralized exchange. The mining rewards was recently voted to a specific amount for perpetuity, to guarantee it never going to zero. I think the project is going quite well.
I'm not sure if that is entirely true, historically, I can explain..
The emission schedule was changed when the tail emission was added, however that was early on, to your credit. Smooth was the one who proposed it iirc, then it was added shortly after. It was not part of Bitmonero originally, as Smooth, Fluffyponyza, et al did not arrive until ThankfulForToday abandoned the project.
Maybe someone with less gray in the beard can put some dates on that, I'm just going by memory.
monero, without dev tax and pre-mine, simply doesn't have the funds to compete in research with other, more well funded projects. I don't see how a different emission curve would have helped here.
MRL work is progressing on Seraphis[1] which will allow for significantly higher ring sizes without increasing the transaction size. A proof of concept is currently in development.
More people need to put up bounties for feature development. There are some existing sites but they’re not heavily used. I think plenty of people would be happy to develop a feature for 5/6 figures.
There are also some monero whales that could probably stand to contribute to further development even if they don’t do it themselves (like fluffy pony) but unfortunately it looks like they are/he is in the early stages of getting Assanged
Monero communities arrogance and in-grouping has segregated them just like they desired. That technology and user experience is an evolutionary dead end, it can exist and that has enough utility. But in the multichain world the user experience is better and the funding models are better, even gitcoin grants streamline development of projects.
Respectfully I disagree with this statement, on a conceptual, as well as factual level.
>Tornado cash is good enough tbh
I hold neither of these, but as someone with a significant amount of experience in the field, the facts are clear. "Good enough" is not an objective measurement of the binary quality of fungibility. Monero is fungible.
Is this me saying everyone should go out and buy some Monero, no, it is me saying that when you consider the mechanics of the way these two scantly comparable technologies function, there is one clear winner because only one is fungible.
I don't have a response to the social issues of those that use or perpetuate Monero adoption, just as I don't have a response to the social issues of those that use or perpetuate USD, or any other asset. It's not my business what other people do, and I don't feel associated by virtue of using the same utility.
> That technology [ ... ] is an evolutionary dead end
The fact that Monero has been growing the minimum ring size over time, as well as refining the decoy selection algorithm, shows that fungibility, in the sense of transaction graph obfuscation, is more of a spectrum.
Its good enough in user experience and storage, in fact far superior to Monero’s experience. When a user then wants fungibility the one time they want the state’s money and financial institution then they use Monero as a conduit.
This is why tokens make sense. Can fund development of new features if you could integrate new tokens on Monero. It’s how Ethereum has moved mountains with new infrastructure projects.
Tokens were thing on Bitcoin too. They were called "colored coins". The reason that it works on Ethereum is turing complete scripting allowing you to build all sorts of fun financial gadgets and tools around the token.
I gotta say, I love Monero but every single time I see malware deploy a miner it is Monero for obvious reasons. More than any currency I want it to succeed because of true anonymity it provides but when you accept Monero, better beef up your anti-abuse capacity.
It feels wrong going in defending them here but basically nothing else on the planet is CPU mine-able anymore, RandomX was made specifically to exclude GPU's and ASIC's.
If you had intrusions on GPU servers it would be a very different story.
I can't tell you why they compromise thousands of docker containers,vms and even run of the mill malware drops xmr miners with winring0.sys on windows to run at ring0
3. Resell your product at a discount for clean money
Congrats, you now get to meet all the alphabet people in person and spend a lot of one on one time with them. Hope you didn't have any traveling planned cuz you aren't getting on any airplanes.
Many years ago I worked for a telco that had a mobile product that you could buy with cash (show up in a convenience store with cash and you would get a SIM card for use straight away without any form of registration).
This was 5 times as expensive compared to when you paid by debit or credit card.
This offering was extremely popular amongst drug dealers and people needing a burner to call in a bomb threat. (Maybe there were legislate uses too - I never found out.)
The problem for the telco was that this was generating hundred fold the number of request for wire tapping and logging by the courts and the police. And by law the telco was required to service these request free of charge.
So in the end the business simply wasn’t there even though the margins were sky high.
Moral of the story: selling stuff to criminals might seem like easy money but may not be worth the trouble.
If you looked at 'average people' versus 'criminals' you'll find that there's a much higher demand for privacy/anonymous communication among the criminals. That isn't to say that normal folk don't want privacy too.
The end result is that if you're one of few company that offer privacy to your customers you'll find your customer base has a higher ratio of criminals as they'll all flock to you.
I think criminalizing useful technologies is an obscenely naive way to operate. You're incurring insane game theoretical cost for the consolation of revenge against the criminals.
If you are interesting enough, Signal doesn't help at all. Some nation state will have NSO infect your mobile device with Pegasus and record everything you type, say and do.
People need to understand this. There is no solution for mobile device compromise other than to stop using these devices.
And if you cannot stop using them, then you must understand that everything you type, say and do on or around your mobile device is (or will be) public. So treat it like a public device at all times.
Sure, but just because nation states can hack you doesn't mean you should throw your hands up and give up on keeping your data as secure as possible. There are non-state actors who would love to get their hands on your data for profit.
Even if you aren't a criminal, the fact is that privacy tools of this nature are explicitly relying on having enough volume of criminals and other illicit users to provide cover for you. This is what they're designed to do, the designers of these systems will openly admit to it. You can make your own judgement on whether you're ok with that, but it doesn't help to deny what's actually happening.
>the fact is that privacy tools of this nature are explicitly relying on having enough volume of criminals and other illicit users to provide cover for you
No, that's not how this works. You don't need criminal activity to provide you with anonymity. You just need ANY other activity in order to get lost in the crowd[1].
Your flawed view is that nobody should have privacy because some bad guys might use privacy to do bad things. Privacy advocates are the opposite. We say everybody deserves privacy as a human right, even if on occasion some bad guys take advantage of the privacy.
>You just need ANY other activity in order to get lost in the crowd
And that's irrelevant because these tools are explicitly built for criminals to use them. I'm actually quoting what the designers of these systems have said, this isn't my opinion. When you say "ANY other activity" that also means criminal activity gets lumped in there, I don't know why you're denying this. You're probably not a criminal but if you're using this then you're intentionally making criminals your company and you will pay for the effects of that in one way or another. That's the part where I'm speaking to you from experience. You just can't make an anonymized system like this that also isn't a lucrative target for criminals, such a thing doesn't exist. Is it unfortunate for those who aren't criminals and actually need privacy? Absolutely, but this is the reality of the situation. There's no easy solution. If someone is telling you that this isn't an issue then they're just lying to you, get mad at them instead of me.
>Your flawed view is that nobody should have privacy because some bad guys might use privacy to do bad things.
No, this also isn't even remotely close to what my actual view is. You just blatantly made this up for no reason. Why are you doing this?
This is yet another reason that it's so exhausting to talk about this, not only are you spreading misinformation about this project but you're also spreading misinformation about me. Misinformation and disinformation is actually incredibly common in these low-trust environments. If you think it's bad, I agree, it's actually incredibly shameful that some people try to use "privacy" as a cover to spread misinformation, but that's something else that you have to accept and deal with and insulate yourself from if you take this route. Please do a better job in the future and don't bring yourself down to this level of empty rhetoric. You're letting the liars and criminals win.
If you're acting this way because you see this route as some kind of moral outlet, I would suggest that you stop and find another one. This one is ethically gray and if you stick with it, you'll be peer pressured into excusing a lot of things that you're probably not comfortable with in the name of "privacy" at the expense of everything else. The moral rationalizations coming from these projects are strong, but are ultimately willful blind spots informed by money-making and capitalism just like everything else. Don't say that nobody warned you.
My guess is that the level of abuse is much higher by the customers paying via monero, than the ones paying by card. My guess is also that abuse is not entirely without cost for Mullvad.
In other words the cost associated with the extra business that comes via Monero might be higher than the extra money that comes in.
Just as a reminder, you can bridge from EVMs to Monero via the SECRET bridges, which seems to have the Monero community's blessings on consensus models. There is ample liquidity as well.
So there is bi-directional access to and from the broader crypto ecosystem without centralized exchanges and without the selectively scamming shapeshift-style sites, and for the pros: without OTC desks either.
Well Secret isn't exactly the broader ecosystem, it uses the EVM (as most smart contract platforms do these days) but isn't Ethereum Mainnet. So you'd have to bridge more from there. Of course you could bridge into Ethereum or other chains directly with something like WXMR as well. Everything is getting bridged these days, there's going to be 1000 bridges soon. Users should be aware of the risks!
That said Secret is interesting. Another thing to note though in terms of privacy is that Secret token transactions aren't anonymous afaik, despite the name suggesting otherwise. Only the smart contracts are. It's an interesting design choice, there are probably arguments pro and contra both.
I didn't feel the need to specify how many bridges you had to take, just that you can have XMR and get to the broader ecosystem via SECRET. That is 100% accurate and orders of magnitude better than before the SECRET bridges existed.
Correct, yes, on SECRET network, smart contract variables are private, which means all token transactions are while the native currency is not. There are a variety of ways to leak data anyway.
So SCRT is the native currency while sSCRT is the token version that therefore has the variables (to, from, amount) private.
How so? They claim they keep custody of your tokens in exchange for the WXMR one, that's how any bridge works in essence. And yeah, you're right it would better to do swaps, this wasn't supposed to be an endorsement. There is an inherent danger in ceding custody to a third party, be it on Secret or Ethereum.
It's always interesting to see how often stuff that Mullvad does ends up on HN, even when it's not something new. There are other VPNs out there that were accepting Monero for a long time.
My own digital ocean droplet. Its easy to set up and get going, costs only $5/mo, and with all of my other droplets bandwidths combined I effectively have unlimited bandwidth.
Only ever use it on public wifi, and it isn't meant to be "private", just good enough to prevent accidental data leakage at Starbucks/doctors' offices/wherever else my 5g doesn't reach and I'm forced onto public WiFi.
I used to do this, and it's nice having your own IP, however keep in mind that while you preserve privacy from your ISP/gov you lose privacy from the websites and services you access as you become very uniquely identifiable.
Yeah I'm less worried about trackers (block those with uOrigin and AdGuard), and just more worried about data leaks on public wifi which are less and less likely with everything being on SSL now, but until everything is FORCED onto SSL then I will still run my own VPN when I'm on public.
Maybe I'm missing something, but why is "not sponsoring podcasts" a plus for a VPN service? Personally Mullvad is my favorite and AFAIK, they also don't sponsor any podcasts, but I don't think that would influence how I feel about Mullvad.
I used Mullvad for a few years and was largely happy with it. I got a multi-year deal on ProtonVPN that was too good to pass up, so now I'm on that. Overall, I think I liked Mullvad better so may go back to it when my time is up.
I used NordVPN back quite a few years ago. Once they started advertising on cable tv shows, I knew it was time to jump ship. A VPN service spending that kind of money is either burning through cash too quickly to survive, selling user data, or a government honeypot.
That's more about what's in their marketing material ("when a service isn't being honest in their advertising") rather than where they actually put that marketing material.
And yeah, then I'd agree, if Mullvad started lying or pushing useless services down my throat, I'd definitely dump it quickly.
It shows scale and also makes them a bigger target for lawsuit which get's settled through access.
Check out what vpn have been sued over the last year (they all have been no log companies) and you will quickly realize that logs are being shared by anyone of size. The smaller the service the better.
I'm also not sure why sponsoring podcasts is relevant, but FWIW I have heard ads for ProtonVPN on the Darknet Diaries podcast (https://darknetdiaries.com/sponsors/).
It affects my decision making because the stuff that gets plastered across podcasts and YouTube videos is often crap the hosts themselves clearly haven't even used. Just my opinion based on the times I've actually researched the products I've seen sponsoring content. YMMV
You can use openvpn or wireguard as clients (or their own), and while i was writing this I just saw they accept payments with different crypto (bitcoin, ethereum, litecoin, bitcoin cash, dash, doge, monero)
Same as Mullvad. Personally, the greatest feature of Mullvad is that they accept cash sent in envelopes, it doesn't get more (proven) private than that. Does AirVPN offer something similar?
The other big point in AirVPN's favor is configurable port forwarding. Makes it much easier to quickly expose something to the internet on any network.
Mullvad FTW!
I've tried basically all VPNs out there and Mullvad and Proton were (at the time I did the experiment) the only ones that were 1) trustworthy 2) just worked
What are people using VPNs for mostly, if they're living in a country without internet censorship?
It's either your ISP or the VPN provider, which can log the websites you have visited, so there isn't a clear advantage of using a VPN.
Sure the VPN provider may claim to log nothing, but that's hard to confirm and not proven to be true in some cases (related thread regarding Protonmail: https://news.ycombinator.com/item?id=28443449).
For researching confidential topics, TOR appears to be fine.
VPN may have better network bandwidth, or may be blocked from less websites than TOR exit nodes I guess.
I don't have a choice of ISPs. It's not a competitive market and they have no incentive to respect my privacy in the slightest.
In contrast I can choose any VPN provider in the world. It's a competitive market and they have strong incentives to respect privacy because it's one of their main selling points. Any VPN that is discovered to not be respecting privacy will lose a lot of business in short order.
Sure you can say that they can violate privacy in secret, but that's a big risk for them. It's no risk at all for an ISP because their customers have no choice. It's no guarantee, but it's definitely a better situation to use a company that actually has incentives aligned with yours.
That answers it for many people, I would guess. Even without censorship, many ISPs have a much worse track-record for gathering and subsequently selling information than, say, Mullvad does.
Is it an absolute that Mullvad doesn't log/sell information? No, of course not. But they make a much more convincing case than my ISP does.
Geoblock avoiding is another common answer. My ISP also sends out letters if you torrent, which can be annoying to receive - Mullvad alleviates that.
Here in Germany the rights of ISP users are supposedly better protected than in other jurisdictions.
At least that's what I heard on this podcast [0], latest episode iirc.
Yet you can't watch age restricted youtube videos without giving them your ID or credit card information. In the name of "protecting children".
The German government also threatened to ban Telegram which would have put them in line with places like China, Russia, Cuba and Iran. I think Telegram folded and now removes channels at their request in order to avoid being fully censored.
> Is it an absolute that Mullvad doesn't log/sell information? No, of course not. But they make a much more convincing case than my ISP does.
That's not the only deciding factor though, is it? Mullvad (not singling them out, but just for sake of illustration) is in many ways is more attractive to bad actors because it centralizes users seeking privacy. On top of that, you're adding additional software and network complexity which equals attack surface. There's more to consider than what appears at face value when considering whether a VPN is appropriate.
Of course there is more to it than a single dimension, I just didn't think it necessary to write out each and every consideration as the risk analysis will change per user.
The trade-off is worth it, for me personally, including when those other factors are considered.
ISPs are often in a more powerful position, in the sense that they often have more streams of data to you than just your internet usage. E.g. your mobile service provider is also your ISP when you're on the go, thus they also have your call and text history and location history to correlate with your browsing history.
On top of that there's also the value of just having privacy even if the ISP can be trusted. E.g. I might not mind being seen naked by a friend, but I would still prefer for that to not happen.
In general I think a lot of the big providers who have gone without incidents (and without major changes) for a long time can be trusted. I feel the incidents with Proton were somewhat overblown, since their page on legal notices received did mention that they could be compelled to log IP addresses (or at least that's how I remembered it). But even without that, I think Mullvad has been pushing for "system transparency" where users can verify all the software that's running on their servers, which is a step in the right direction towards providing confidence that they are indeed not logging anything.
Avoiding my university or workplace from snooping on my traffic.
I’ve had it where I was served an add from a server that had previously been implicated in a bot net operation. The university told me I was infected and that my computer was not allowed back on the network until I came in person to show them that I had done a full wipe and reinstall of my OS.
I personally use it to evade IP-based tracking, for random example LinkedIn. Try browsing LI from your home. LI will suggest that you connect to others in your home. Even though I have a fake LI profile, not linked to other members of my household, so this doesn't actually invade my privacy, it's still yucky that they maintain a shadow connection between us. There are tons of sites/services that do this kind of simple yet invasive tracking.
I also use it in rare cases for torrenting or downloading content. I normally have other methods for torrenting and seeding privately but in some cases I want another level of privacy (nothing illegal/bad/censor worthy, and therefore would be ok with law enforcement connecting the dots through VPN), a level that VPN serves well.
I am glad that the VPN providers sell people on nonsense, on protections they can't guarantee (to Western countries anyway). This makes the service actually available at all. To me it's an analog of the https-everywhere cargo cult, that makes it super easy these days to get a free SSL cert.
No technology is perfect. It doesn't make it useless.
For me one big use case: avoiding stupid geoblocks on motorsport streams. Often streams are available in countries where the licence has not been sold on Youtube or the websites of the sport itself (sometimes for free, sometimes as a subscription).
For example Formula 1 has F1TV that you can only sign up for in some countries (where they didn't sell out to Sky essentially).
Like, I don't even mind paying for a service if it's good and actually available!
Sent a link (yt, less than a couple of minutes long) to two friends (in different, and not my, countries).
Both blocked.
One friend changed location via vpn and watched the video. The other, no vpn, didn't see the video AND said they wouldn't ever use a vpn as they have 'nothing to hide'.
This is what I use mine for. If PIA is secretly logging they aren’t going to reveal that info and ruin their business model for whatever you call a DMCA request in Canada regarding my torrent activities.
> What are people using VPNs for mostly, if they're living in a country without internet censorship?
I find it's a convenient way to prevent services beyond my ISP from knowing where am I based on IP address.
All of those apps you have on your devices presumably have permanent connections back to their servers and they can very easily tell if you're at home, out on mobile data, in an office, or in a cafe/public library or even in a different country.
With a VPN, they currently think I'm in Dallas; which I'm nowhere near right now.
Many apps on your phone are entitled to read WiFi SSID's, mapping your location as accurately as GPS - and indoors, too! Go ahead and google "where am I" with a native Android/iOS search app with your VPN enabled, you may be surprised by the results. Not to mention accelerometers and other sensors can reliably predict your movement and location, too.
There's significantly more competition among VPNs than there are among ISPs in any given area, so it should be no surprise that some VPNs are more trusted than ISPs. Most people have only a few choices for their ISP, and maybe only one that offers the features they require (for example, only one ISP in my area offers high enough upload speeds to reasonable backup my computers). In many cases people don't have a choice of ISP that will keep their data private.
Therefore, you are trading trusting your ISP for trusting your VPN, but at least you are getting someone who says they care about your privacy (rather than someone who has a track record of not caring) and someone who would face significant business repercussions if they became untrusted, rather than someone that would face almost no business repercussions.
> may be blocked from less websites than TOR exit nodes I guess.
Try routing all your traffic through TOR and trying to navigate the modern web or common apps. It is _extremely_ punishing when you connect through TOR exit nodes.
I used to run a relay and they are even hostile to relays. I had to stop because my family was asking why their banking apps didn’t work on the Wi-Fi and why they always get warnings and CAPCHAs only at home.
It depends on how security conscious you are. Technically you can route things through remote nodes and thus avoid downloading the blockchain. But the monero community is security conscious and usually recommends downloading the blockchain, which takes a while if you do it the “right” way and don’t just find a copy of it hosted somewhere and download it.
If you are ok with skipping that, you can use something like CakeWallet to create a wallet on your phone and then give someone a receiving address
Thank you for the compliment! We are indeed for real, but I don't expect this comment will convince you. I'd love to know what we could do that would change your mind.
The same goes for anyone else reading this. Are you worried that we are too good to be true? What could we do to become more trustworthy in your eyes?
I don't know. Disclaimer: just a happy customer. What I do know is that all you know about me is the account number you gave me and the IP address I'm connecting from. I always pay cash, so that would be hard to trace back.
So I know you do the absolute maximum you can do to know as little about me as possible. As far as not keeping logs and not spying on me, I suppose I'll have to trust the audit reports.
Not much more you can do in my opinion. It's definitely good enough for me! Thanks for this great service!
This isn't meant to be criticism just curious. Why did it take so long to add monero support? For the past several years there's only ~2 other VPNs that tick all the privacy boxes, and you're the most preferable - other then lack of monero support. It always seemed weird that you went so far for privacy, but didn't support monero.
Was it just on the backlog and took a bit of time to implement? I appreciate that you built your own implementation for crypto by the way.
Thanks for the great service.
EDIT: I've heard a rumor that you've shared a user IP because of a government subpoena (live during a connection, so it wasn't logged). Has this happened? I think according to your swedish-legislation page says "However, the Swedish police authority may have access to information by way of coercive measures such as seizure and search of premises." which would allow for this to happen in theory? I.E. intercepting or seizing control of your router to see what IP a connection is on?
EDIT: One other question - is there plans to add more IPs? Services seem to flag most mullvad IPs but I'm not sure there's much you can do about that.
Some third-parties did sell gift-codes using Monero before Mullvad had native support although I had no experience with them.
> I've heard a rumor that you've shared a user IP because of a government subpoena (live during a connection, so it wasn't logged).
Got any details?
FWIW: Correlating the origin IP with real-time traffic out of a single-hop VPN tunnel can be done using traffic-analysis by third-parties that are not the VPN provider themselves.
> Why did it take so long to add monero support? It always seemed weird that you went so far for privacy, but didn't support monero. Was it just on the backlog and took a bit of time to implement?
I don't work with payments and the surrounding systems so I don't know the details of the project itself. As an organization we've certainly been aware of the feature request, but until now we've prioritized other projects.
> EDIT: I've heard a rumor that you've shared a user IP because of a government subpoena (live during a connection, so it wasn't logged). Has this happened?
To my knowledge it has never happened in the history of our service.
> EDIT: One other question - is there plans to add more IPs? Services seem to flag most mullvad IPs but I'm not sure there's much you can do about that.
I'm sure my colleagues in the Operations and Support teams are aware of it. You'll get a better answer from support@mullvad.net.
Paradoxically, the most trustworthy thing you could do as a VPN provider is explain why most people don't need and won't actually benefit from a VPN. Outside of a few limited use cases (accessing location-restricted content, connecting to legacy services) and with almost-ubiquitous end-to-end TLS encryption deployed on the Internet, there's really not a lot of good reasons to use a VPN (and many good reasons not to). Reasoning about this in a transparent and objective way is something I've never seen VPN providers do, and for this reason I struggle with trusting them.
DNS queries are still leaked (from most users) regardless of end-to-end TLS. There is of course DNSSEC and DNS over HTTPS, but those are not used by the majority.
Another use case you missed is downloading/uploading pirated/copywrited content. Good VPNs receive DMCA notices and throw them in the garbage.
You are right that VPNs are not useful for many use cases and they can give users a false sense of security.
You mean it helps record integrity. The "security" story with DNSSEC is much more of a mixed bag than that; there's a reason it's very rarely deployed in the industry.
You're definitely right to point out that DoH helps with the VPN DNS privacy problem and DNSSEC doesn't.
I disagree with your assessment of the use cases for a VPN. Just one example: Your IP address is often a great identifier, making a VPN or Tor a useful starting point for online privacy. This is more or less what we say on our website as well.
Based on your comment however I think you might find the follwing links to IVPN refreshing:
> Your IP address is often a great identifier, making a VPN or Tor a useful starting point for online privacy.
See, this is exactly why I don't trust you. This is used car salesman talk. IP addresses are only one minor tracking mechanism out of many which defeat obscuring originating IP by means of VPN altogether (canvas fingerprint, cookies, font/screen tracking, etc.) You're trying to say if I use a VPN, I get privacy because websites don't know my IP, but this isn't even remotely accurate. Do you explain this anywhere in your marketing materials? If not, it doesn't really help me, it just helps you sell the product.
> IP addresses are only one minor tracking mechanism out of many which defeat obscuring originating IP by means of VPN altogether (canvas fingerprint, cookies, font/screen tracking, etc.)
I agree. This is why I said "useful starting point". A user looking for browsing privacy needs to do more than just use a VPN or Tor. Obscuring your IP address somehow is necessary but not sufficient. This is what I meant.
Category: [Misunderstanding]
> You're trying to say if I use a VPN, I get privacy because websites don't know my IP, but this isn't even remotely accurate.
No, I said it's a "useful starting point". I did not say it's sufficient. I could have been more clear, but I was in a hurry when I wrote it.
Category: [Misunderstanding]
> Do you explain this anywhere in your marketing materials?
We do! On our landing page you are met with this:
"... a ... VPN is a good first step toward reclaiming [your right to privacy]."
Right below is a button ("What is a VPN?"), which leads to a page containing a header ("How a VPN protects your privacy"), which explains further:
"Using a VPN is a great first step toward protecting your privacy, but it's not the ultimate solution (we wish it was!). However, it's easy to improve your privacy ninja skills."
With this reply I believe I have shown you that we (Mullvad) do "reason about this in a transparent and objective way", both on your website, and with people giving us feedback.
As an aside I think IVPN's approach might be more to your liking, but nevertheless none of your stated concerns apply to us. As I've shown above they came down to two misunderstandings and a question.
If you have any other concerns I'd love to hear them. I appreciate your feedback. If we only spoke with people who gave us positive feedback we wouldn't improve as much.
Essentially, you're giving people knives and saying you can be a chef, because knives are a "useful starting point". It's going to result in some cut up fingers and knuckles, for sure. Cooking is about a lot more than handling knives, but a knife seller won't really explain this, just as you haven't sufficiently done with VPNs.
My only feedback is that Mullvad is based out of Sweden which is a member of Fourteen Eyes. I don’t expect you to move your location but it is the only detractor I can think of.
If you use Mozilla's VPN, you have to trust that they won't backdoor their VPN client in order to serve their public policy goals. (Mozilla has taken a lot of public stances against things like "disinformation" and "harassment", which could theoretically motivate them to unmask the hateful trolls who use VPN services!)
In real life cash and balaklava have other purposes than keeping your identity hidden. (Balaklava may keep your head warm and cash may be the only possible payment in some situations.)
Do you want me to sit here and list out all of the applicable and legal use-cases for VPNs and Monero? How many would I have to list for you to change your views? Is there even a number, or is your mind set that VPN = criminal?
You said there was no practical application for VPNs or Monero, but now you're shifting your goal posts? I think I have wasted enough brain cycles on this.
Maybe I'm sick of surveillance capitalism at every fucking turn? Why do I need to justify my right to privacy? I'm absolutely over mega corporations trying to build psychological profiles of me to determine how to best try to manipulate me into giving them money. Or perhaps I don't trust them to keep the information they gather securely, properly protecting it from becoming part of the next big data breach. That's not even taking into account them turning around and selling it to the highest bidder. Every payment processor has turned dataminer. I'm sick of it. The more places I can use Monero, the better.
How about literally any country that is effectively a surveillance state? It is abundantly clear that you've never lived in or experienced anything remotely close to this since you're incapable of grasping what is probably THE MOST legitimate use case for Monero.
If you really don't see the value of privacy, why not post your various account login credentials here? If only criminals are those with things to hide, surely you will allow us access to your bank, email, etc. You have nothing to hide, why not?
End-to-end encryption is another tool you should be aware of as a budding cyber criminal. Your government can likely tell you all about how dangerous it is.
'Unbanked' is a term used in policy circles for people who don't have bank accounts.
For example undocumented migrants, homeless people, people fleeing abusive partners, people with a history of bankruptcy, and so on.
This can be politically important because if the state wants to pay all benefits by bank transfer to keep admin costs down, they've got to make sure even the most vulnerable people in our society can get a bank account.
One of the flaws of policy circles is that they assume the unbanked are victims. The term, for that sector, is a proxy for the desire and recognition of people lacking access to capital and services, which is what the policy circle really wants to occur and being in the banking system had been the route to that for so long.
Now it is not necessary, with peer to peer digital cash operating in a parallel economy, that allows access to goods, services, investments, insurance, capital and more.
I'll be honest, I've never heard 'unbanked' used in relation to cryptocurrency or criminals before vmception used it above.
I know my drug dealer can't pay duffle bags full of cocaine-covered $100 bills into the bank - but he can still get a personal checking account and pay in $100 a week or so. So I would not describe him as 'unbanked' in the conventional sense.
When the state moves to seize and freeze his bank accounts and flag his unhosted bitcoin addresses, he'll wish he had some Monero and Tornado.cash notes to pay his lawyer with.
they can use Monero as well, not instead. As there are lots of other interchangeable options for non-banked or unhosted crypto payments and commerce.
> (I am actually curious; who are these people who do not have a bank account but use Monero?)
to me, your question is similar to asking "who are these people that use their cell phone in a subway tunnel" after cellular service was extended underground. the similarity being that the answer is "I don't know" and "you're not going to get a dissertation or a source about it, people just use whats available" and "who cares". What I wrote earlier is just a list of what happens when the expanded availability is there.
Tor at least but there’s likely more. also rumor in the internet goes (and looking to be correct if misguided) the us government identifies its citizens that dl Tor
That's nonsense. There are somewhere between 2 and 8 million users of Tor every day. The vast majority of Tor users are ordinary people that want a little more privacy. What a waste of resources it would be to try to identify and track each of them.
As a Mullvad fan this makes me very nervous. If they begin being used by, and taking payment from criminals it's going to bring a lot of extra heat their way.
They've been requiring zero identification from the beginning. That's been their business model. They don't know if you're a criminal, or a law-abiding citizen. And they intended it that way. That's how it should be.
I hope I don't live to see you turn into every other shady VPN service.