Hacker News new | past | comments | ask | show | jobs | submit login
(L)Awful Interception (mullvad.net)
148 points by Sami_Lehtinen 8 days ago | hide | past | favorite | 33 comments

How trustworthy are these VPN services?

I use them because it's the best I can do, but I'm very suspicious. I would think the NSA is misappropriating my tax dollars if they hadn't compromised all of the VPN providers years ago. We also know the US has a history of selling compromised security equipment (https://www.washingtonpost.com/graphics/2020/world/national-...)

Don't get me wrong, I wish the NSA wasn't what it is, but if I'm paying for the federal government to be doing work, I expect them to do it exceedingly well.

So what's the case the United States is so incompetent as to let Mullvad go untapped?

Edit: the answer is that there apparently is no case. maqp was writing up the answer to my question in a response to another comment while I was writing mine.

Edit 2: My personal threat model largely accepts that the NSA, CIA, and FBI can have their way with me in the unlikely event that they notice my existence. I can live with that because they have no reason to take notice. Despite my annoying moral values, I'm not a threat to the state. However, I find the focus on nation-state actors in an ad for a service that clearly can't protect from them to be distressingly dishonest.

Depends on what you want to use a VPN for. If your use case is pirating the latest TV show, any VPN that's been subpoenaed and produced no records like PIA will be fine. If your use case is something that could get you in trouble with actual authorities, you'd be a fool to ever use your own internet connection. A clean (never had any of your PII or files on it) computer and a long-range wifi antenna to a public hotspot is the only level of security I find acceptable. The computer should never visit any sites you visit and obviously should never log into anything. Ideally while using it you should shut down your personal wifi so the potentially compromised hot computer never detects it as the strongest wifi signal.

The correct level of paranoia is behaving in such a way that all your systems could be fully compromised and it would still never link to your real identity. If you're scared of anything short of a signal locator van you're doing it wrong.

> A clean (never had any of your PII or files on it) computer and a long-range wifi antenna to a public hotspot is the only level of security I find acceptable.

People that used that method have been caught.

If they're dumb enough to use the same hotspot from the same location over and over, sure.

That's not the only weak link in that strategy. On the top of my head, patterns come to mind. The date/times you do - whatever questionable activity - you're doing, the way of doing it(say, your unique words, posting style, etc) all create a unique fingerprint of you. All they have to do is match it with your logged in(Google,MS,etc) data habits.

I guess the best way to be anonymous is to be schizophrenic.

Generally speaking - You want a library computer booted from a throw away bootable usb drive, located in a library a few hours away from your residence.

And never the same library. Probably change your hardware frequently as well or even use disposable devices. Also don't commute to them in a traceable way (no personal vehicle, no Uber, no taxi with credit card, no public transportation without mask to cover facial recognition + outfit changes).

Real "vs. NSA" security is nigh impossible right now for any persistent operation. Especially given ARGUS style eye-in-the-sky citywide object tracking.

Maybe the most successful model would be an actual homeless person who wanders by walking and hitchiking and never sleeps in the same area twice.

I generally don't trust VPNs that seem to have a huge budget to spend on advertising, because that usually means they have had a shotload of investment that a VPN service will never be able to return to the investors. These VPNs are invariably owned in some weird ownership structure in jurisdictions I don't have any confidence in.

There's a difference between what the NSA and CIA can do and what the FBI can do. Even if you are an outspoken dissident, the FBI likely won't burn the supposed fact that they have backdoored all VPN companies to try to prosecute you. The value in clandestine backdoors like these are for intelligence, not law enforcement.

With parallel construction the FBI doesn't need to burn anything.

if you knew history of development of all mighty special agencies(look at ussr/russia, china etc), you would know that you could become of interest to them, even if you don't think you are a threat.

One of the benefits of mass surveillance(for the state) is that people of interest have no way of communicating with the world securely/secretly, they have to assume that everything is tapped and actively hostile to their communication setups.

That means that you could be recognized as a part of shortest path to undermine some person of interest, and there is no reason for you to assume that they will hesitate to harm you and your safety/comfort

Strange the article doesn't mention CALEA[0] for the United States. This is what actual local/state/federal law enforcement uses (with a court order) for data/voice intercept.

What's interesting about CALEA is it (essentially) requires compliance via devices with "LI" (lawful intercept) functionality and/or third party providers to provide "tap/trace" functionality in such a way that it's not even visible/detectable to the network provider, network admins, etc.

This LI functionality is typically implemented at the network device/operating system level as defined by an ETSI standard[1]. I've never implemented it personally but from what I understand it basically allows for an LI provider to siphon off tap/trace data with something like a VPN back to the LI provider, who is also the contact for response to warrants, etc.

So what happens is the LI provider gets a warrant for something like "give us everything to/from this device or phone number". The provider verifies the legality of the warrant, uses the ETSI standard to one or more devices on the provider network, receives the data, and then provides it to law enforcement (in real time). The network provider isn't even aware of the court order.

The old trope in Mafia movies of "I got a guy inside the phone company to tip us off" hasn't been accurate since CALEA came into effect in 1995.

[0] https://www.fcc.gov/public-safety-and-homeland-security/poli...

[1] https://www.etsi.org/technologies/lawful-interception

This feels like mullad is trying to tell us something?

Or, maybe, it's just slightly inept at lobbying for their cause? It should really end with a specific call to action, or at least mention if there's any legislation going through the process right now that needs support or opposition?

I guess the call-to-action is to use Mullvad (which I happen to do, and can't complain about). For Germany, I will add http://freiheitsrechte.org/ as the local equivalent of ACLU & EFF that one might want to join.

You might want to remind people what commercial VPNs are good for: it masks the IP from _COMMERCIAL_ entities. It doesn't protect from the NSAs of the world because they have no restrictions in what VPN foreign servers they compromise, and FVEY routinely bypasses constitutional protections by compromising servers of opposing countries, e.g. GCHQ and NSA exchange data they extract from the opposing countries citizens.

Mullvad and other VPNs only provide trivial layer of IP address masking, they don't automatically block the endless list of tracking elements from HTTP headers to web bugs, LSOs, JWTs, cookies, webRTC, or canvas fingerprinting, and user actions on the site.

It's also the case simply downloading a bunch of browser plugins will probably make your browser look unique, if it wasn't already.

The best protection you have for anonymous browsing is with the Tor Browser, where every Tor user falls into three buckets depending on the privacy slider setting.

Commercial VPN to access the Internet is mostly a "feel good" service that offloads trust under foreign jurisdiction that might not e.g. have laws wrt. torrenting, but don't think for a second it provides safeguards against governments. It's not that Wireguard isn't excellent protocol, it's that the server is performance aside, just an ordinary computer that can be compromised invisibly with one expensive zero-day and a persistent rootkit, and there's nothing the companies can do about it.

> Mullvad and other VPNs only provide trivial layer of IP address masking, they don't automatically block the endless list of tracking elements from HTTP headers to web bugs, LSOs, JWTs, cookies, webRTC, or canvas fingerprinting, and user actions on the site.

I’ve been a Mullvad user for a few years now and I’ve been quite happy with them but one thing I’ve noticed is that, no matter how I’ve got Mullvad or my browser configured, BBC/Channel 4 knows I’m not actually in the UK. If anyone has any idea how they’re getting my location I’d be curious to know.

> BBC/Channel 4 knows I’m not actually in the UK. If anyone has any idea how they’re getting my location I’d be curious to know

Plenty ways to figure out you're connecting from behind a VPN. Aggressively filtering for well known residential address space, detecting suspicious changes in traffic patterns from shared blocks/IPs used by VPN companies, detecting split DNS behaviour, detecting much higher latency and/or lower TTL between the client and server than what's expected/average within that public address space, detecting unexpectedly low MSS/MTU on the segment behind NAT, ...

Maybe they just assume that anyone on Mullvad isn't in the UK?

You might be sending a language in the request header (many browsers do this by default), something like en-gb.

I bet there are a few other areas this localization information leaks.

Never heard of GFF, thanks for the link. For anyone who speaks German, the wikipedia article [0] has a decent summary of them.

[0]: https://de.wikipedia.org/wiki/Gesellschaft_f%C3%BCr_Freiheit...

>This feels like mullad is trying to tell us something?

I agree:

>If you would like to communicate in a truly safe manner, do not trust any 3rd party – encrypt yourself. Do not use any US-based service for anything secret, especially if you are a company or government handling PII information.

Do take into consideration that this is a Mullvad VPN ad.

I've only heard good things about mullvad and their Wireguard-based VPN solution (...so long as random reddit comments and forum posts are to be trusted).

I wonder what 5/9/14 eyes actually do with the intercepted data? Isn't mere processing of the said data, a gargantuan task? Is this where Palantir comes to play or is it more like of a `cat atlantic_pipeline | grep bomb` thing?

> or is it more like of a `cat atlantic_pipeline | grep bomb` thing

For what us ordinary people know, there are "selectors", something similar in purpose to regular expressions, that can filter out data out of the streams (not just raw IP communications, but also phone call metadata and PIR datasets from airlines) for storage and human inspection. Think of stuff like the phone numbers, names or email addresses of known or suspected "terrorists", drug dealers, organized criminals, or whomever else ends up on one of the flag lists.

It also can be used once shortlists are determined.

EG, we suspect person 1. Now, do a deep search on 1, find associates, do deep search one those.

And it gets even “better”: the “association” goes three levels deep. Basically, your friends’ friends’ friends. So if Alice knows Bob, Bob also knows Charlie, and Charlie also knows Dave, the mere suspicion against Alice is enough to sweep Dave into the dragnet.


It is really awesome. I was looking for a solution that allowed me to use the native Wireguard implementation without needing a third-party proprietary client. Mullvad was it and port forwarding was just one additional benefit. Vopono works great for my use cases, although I have a hard time sending everything through a VPN because pretty much every VPN provider is going to put you into captcha hell or some services straight up block you when you're behind a VPN.

Yes, it’s great to be able to just use pure WireGuard - I’m allergic to the idea of VPN providers expecting you to run their proprietary app. WireGuard has a great iOS app these days too.

Mullvad are the best VPN service out there by far IMO - and writing vopono: https://github.com/jamesmcm/vopono - I used many of them!

I think most VPN users just want something to access different Netflix catalogues though, and Mullvad doesn't play that cat and mouse game.

By the way, the Max Schrems mentioned in the article has started an EU Privacy watchdog project:


Please suport them with an annual donation, they seem very dedicated and the work they're doing is very worthwhile (and have already gotten significant results).

My info is dated, back in the day when LI was passed became federal law, I working in telecom and we had to have LI ports on all backbone ISP routers. No idea what legal process they had there, but operations didn't touch the LI ports. I heard it had a federal portal that the feds could access directly.

This was almost 2 decades ago, but on mobiles, they had a custom portal where you put in a phone number, and all traffic is logged, location, etc. Also they had a department to handle just warrants for data for mobiles.

This is almost the same way we did for child porn cases about 10 years later in photo hosting. Either a photo matched a known md5 sum of content, or a cop would submit a warrant, legal would contact operations and ask us to run the warrant script. The script would zip up the entire user's data and burn to dvd. The cop would walk into the data center and pick it up.

No chain of custody would include an employee. I'm assuming facebook/twitter has portals for feds now, since they already have government portals for cities/state employees.

This is sort of an aside, but I find it interesting that so many people’s threat models include the NSA/CIA. I see it all over the privacy-focused forums and subreddits I read. Don’t get me wrong - I believe privacy is a fundamental right and a carte blanche dragnet approach used by these agencies is not appropriate, but paying $10/mo for ProtonMail and ProtonVPN isn’t going to address that threat. That said, there is a balance between digital security/privacy and living a normal life. If you are truly trying to hide your online activities from those agencies, you are going to need to live a very specific lifestyle.

I’m more concerned about my privacy being utterly raped for advertising purposes. That’s why I use a paid VPN, paid privacy-focused DNS, paid ProtonMail account, use Signal, etc. I could probably be better served from self hosting some of these things, but this is a good balance for me. It seems to me that this concern - hiding data from Google, Microsoft, Verizon, etc. - is secondary to hiding from the NSA/CIA in many open privacy conversations.

Note - I am sympathetic to the fact that there are hostile governments all over the world and privacy-tooling is mandatory for whistle blowers, activists, protestors, journalists, etc.

I think this comment would also have worked without the "r" word.

Ah yes “forced to surveil the populace”. This is horsehockey. They already do it, they just don’t want to be told what to do by daddy government. It’s “resistance as a competitive advantage”, minus the real resistance.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact