Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Non-persistence of any data is a positive in terms of data at rest, how is that not a defense against surveillance? Regardless of the fact that it's not verifiable, assuming it were true, would it not be a good thing?


How is an anonymous, non-attributable, non-verifiable statement, from a company trying to sell you a product, worth anything? Why assume it's true when it is so contrary to even basic common sense, for anyone who has ever stood up a LAMP stack?


I don't mean to assume it's true to validate their advertising. For the sake of argument, if a server uses only a RAM disk, is that an improvement over having disks? Of course a network can still have sneaky equipment in between but that is still possible without RAM disks, so is it not beneficial to have a RAM disk?

Please note that I am not arguing in favor of their advertising or to say that it is successfully avoiding surveillance. But, do you believe that no-disk boot, assuming it actually takes place, is a positive thing, or not?

I admit I misconstrued your original comment to be a criticism of the technology rather than the fact that this VPN company advertises as such. Nonetheless I do think no-disk-boot is not useless as a technology and if you have any disagreement I would love to hear it, as someone who uses a VPN (not expressVPN) that says they use the same setup.


It depends entirely on the threat model. If three-letter agencies are the adversary, moving logging to RAM is unlikely to be a meaningful deterrent - they probably already have a root shell or direct access to the VM hypervisor. So if it doesn't protect against nation states, whom are we defending against? Another law enforcement agency raiding the server room and taking hard drives? But I thought ExpressVPN doesn't log anything, so why would that matter? Let's just be real and practical about what problem this is actually purported to solve, else we should call it theater because it's what it is.


the question was, is it better (than running off-disk), rather than "is it good enough for X"

the answer is, yes. even an infintesimally smaller attack surface is better than an infinitesimally larger one, all other things being equal


It's not at all better - it's worse, exactly because it gives a false sense of security.


you claim to know it gives you a false sense of security -- this knowledge itself of the possibility allays the concern


Because it's pretty easy to set up a ready only server that runs off read only storage and that doesn't include any writable storage. The fact that it could be done doesn't really require extreme proof. They could still be lying but it's not a hard or unusual thing to do.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: