Hacker News new | past | comments | ask | show | jobs | submit login
Malwarebytes' privacy VPN is Mullvad in a shady trenchcoat (dustri.org)
293 points by todsacerdoti 54 days ago | hide | past | favorite | 115 comments

Mullvad highlighting the fact that Malwareware bytes is using their network:


The essence of the article:

Except that Malwarebytes Privacy is just some paint on top of Mullvad and various open-source tools, which would be a parasitic albeit fine behaviour if this was clearly disclosed (as Mullvad is (amusingly) doing on its website), but there is no mention of this whatsoever on Malwarebytes' one. Worse, they're using a possessive voice when talking about the servers (that are Mullvad's) and the code (mostly Wintun and wireguard-windows amongst other, to which they didn't contribute back a single line of code.

Speaking of code, it's shipping

7z.dll from 2018, licensed under LGPL, and some parts under BSD, violating this license. wintun.dll, from the Wintun project, without mentioning it, thus violating its license. Most of the embedded dependencies are from 2018, and subject to documented vulnerabilities:

OpenSSL 1.1.0h pcre2 7z, as mentioned above Poco 1.9.0

It has always amused me that despite how liberal BSD licenses are, there are always those guys that manage to violate even them.

> wintun.dll, from the Wintun project, without mentioning it, thus violating its license.

I am curious and want to understand, not arguing, but this is a serious allegation. Can someone point out exactly where the Wintun violation is?

I’m not a lawyer, but I’ve read the license [1] carefully, and I don’t see an obvious violation for failure to mention Wintun. Section 3 “RESTRICTIONS” does say no removing of proprietary notices, labels or copyrights - is that the problem? It says no redistributing the “rights of the Software” which is different than using the Software directly. And maybe(?) most relevant it says you cannot use the name Wintun to promote your own software, which seems potentially almost opposite of this claim of violation. The license does not seem to mention any requirement to post the name of the project, did I miss something subtle?

[1] https://git.zx2c4.com/wintun/tree/prebuilt-binaries-license....

Needs to be analysed one-by-one.

> Section 3 “RESTRICTIONS” does say no removing of proprietary notices, labels or copyrights - is that the problem?

The license in itself doesn't say that, but the header to link to the DLL is dual-licensed under GPL and 3-BSD (note that the rest of WinTun is solely GPL), and all BSD variants requires notices (even if it is in an About section).

> It says no redistributing the “rights of the Software” which is different than using the Software directly.

So no sub-licensing, for example. They can distribute the software as-is (if using this license), but they cannot adjust the restrictions to a more permissive software (say, BSD or MIT license). This is to enforce GPL2 in other scenarios. This is equivalent in proprietary licenses, where it says that the software is licensed to you but its IP is not transferred.

> And maybe(?) most relevant it says you cannot use the name Wintun to promote your own software, which seems potentially almost opposite of this claim of violation.

"Promotion" here has a specific meaning, at least in the US. Mentioning that your software uses WinTun for legal compliance is not promotion. Mentioning WinTun in your advertisement for the software (unless to mention that it uses WinTun for its VPN), and especially mentioning that WinTun reccomends your software is banned. This might be very obvious, but even 3-BSD (example follows) has maintained this language because trademark laws are weird.

Extract of 3-BSD:

  3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

>but this is a serious allegation

Haha, no. Even if entirely true, it's really not a serious allegation.

Why 7z and not the fully public-source version 7za? I'm really confused here, there's a way to avoid this problem, and Malwarebytes just failed it. I don't think that they need to use other decompression methods.

Why is bundling a (L)GPL .dll considered a violation?

Because you have to make the source code available to people who receive your distribution of the library.

Did you ask?

You shouldn’t have to ask. The GPL requires that the distributor either sends the source code alongside the binaries, or that the distributor sends along an explicit written offer to send the source code. If you, as a recipient of binaries, did not get such an offer, and no source code was sent along the binaries either, the GPL was violated. There is no recovery from this, even if the distributor sends the source code on request.

Can you point to where in the GPL it says that it must be explicitly offered? I don't remember ever reading anything that gave me that impression, or anyone even informally mentioning that was the case.

I ask because I'd be in violation. I've attached the GPL to a bunch of dinky little projects I haven't bother hosting a public repository for because I don't think anyone else in the 'verse really cares. In most cases I know I'm the only user, but there are a few that some other people have at least downloaded (probably bots or mistakes, but downloaded nonetheless).

You’re not in violation. If people download the binaries, and you offer the source code at the same download site, and they choose not to download the source code, that’s on them; you are off the hook.

I also did not mention (because it was not relevant to the parties being discussed) one other option: If you received the binaries from someone else, with a written offer for source code, and you are distributing the binaries non-commercially, you can simply forward a copy of the written offer of source code you received.

The section of the GPL 2 you want is section 3, and in GPL 3 it’s section 6.

This is covered in section 6 of the GPL(v3). See the text here: https://www.gnu.org/licenses/gpl-3.0.en.html

Note that there are some changes here compared to v2 of the GPL.

IANAL but my understanding/interpretation (simplified) is you have to either:

6a) Ship the binaries in a physical product with a copy of the source code accompanying

6b) Ship the binaries in a physical product along with an offer to provide the source code on request

6c) "occasionally and noncommercially" ship the binaries (not necessarily in a physical product) along with an offer to provide the source code on request

6d) Make the binaries available from somewhere (e.g. a website) which also offers the source code (e.g. GitHub would count)

6e) Ship the binaries via a P2P mechanism if you include a link to where you host the source code

Again, IANAL but if you hosted a GPLv3 binary somewhere without source code, it would technically be a violation of the GPL.

However, since you are the copyright holder in this case, you can ship it however you want - it would just prevent anyone else from then distributing it under the GPL since they wouldn't be able to comply with section 6, since they don't have the source code.

But this is not about distributing GPL code in a custom binary. Rather, a GPL binary library was linked against by a custom binary, and that GPL binary was distributed alongside the ”custom” binary. Do those license terms apply here?

Yes, linking to a GPL library means you need to follow the terms of the GPL.

Pardon the confusion, this was about LGPL, not GPL—and the former does allow linking.

There are terms you need to follow when you link to LGPL libraries, as well. You need to provide your compiled program in an object format such that users can link it against their own versions of the LGPL library you originally linked it against. The LGPLv3 also adds some anti-Tivoization clauses, too, that make those rights explicit.

Section 6 pretty much lets you choose between:

- Bundling the source with the program (a)

- Letting people download the source from the same place as they can download the program (d)

- A written offer to hand over the source on request (b, c, e)


So? Maybe malwarebytes are doing that?

Are they? I got the sense that this is the issue.

I'll have to brush up on this, GPL that's not seen by people say it does something in messaging or part of DNS or something, it would still have to be public? Use case is part of some web-app that isn't installed.

If its running on your server, then you aren't distributing it. There are licenses like AGPL that do try to limit that usage but GPL does not. Now if it is a web app that has client code that gets executed in the browser, that is distributed to the end user and GPL would apply, so you would need to include license notifications for that within your app or as part of the source code distributed. In that case you are already distributing source but you may need to make an unobfuscated source available if your distribution is minified/uglified.

YANAL ha, but I was curious even if we did have to disclose the specific GPL piece of software, do we only have to release that part? Not the entire app.

> web app that has client code that gets executed in the browser,

That's the technicality stuff, the client triggers an event, that then uses this GPL piece of code that is on the server. I went through our stuff (mostly NPM) and they all are either Apache/MIT but there was one piece like ahh... Anyway not making money yet but will bring this up for review with legal.


If my dubious understanding of the GPL is correct, you can link to an LGPL DLL without assuming the LGPL. Distributing that DLL modified/unmodified would require also distributing the corresponding modified/unmodified source code. I don't think that in this case we have a violation (for the LGPL code) since it's unlikely that they modified the source code for the named libraries (and would provide links to the unmodified source code after application of legal pressure). I also would assume that the copyright notices required to be displayed are all listed somewhere buried in the about dialog of the running software.


> wintun.dll, from the Wintun project, without mentioning it, thus violating its license.

Also, after reading the license, I don't see this particular clause at all.

From what I remember someone should basically be free to modify the DLL distributed under the LGPL license, so they need to be able to access the corresponding source-code and whatever logic is necessary to link a new DLL to the application (if required).

According to clause 4, you either provide enough source to compile and load a modified lib, or you use a dynamically linked lib. If you go the dynamic linking route no source distribution is required. I guess they figure the end user can get source from the library project themselves.

> If you go the dynamic linking route no source distribution is required.

For your code. The LGPL code still requires source distribution. (Plus, the BSD clause requires attribution.)

Certainly the authors of said LGPL code are distributing that source. Would it make sense to distribute the source of every .dll included in a project?

… Yes. That's your obligation under the LGPL. Pretty much your only obligation, actually – other than including the “this is this, by these people, licensed this way” boilerplate text.

Alternatively you could include the offer to distribute

Only with (L)GPLv2, I believe.

They have to provide the source code for those DLLs, which they aren't doing.

Actually I wanted to know, which clause says that. Is it Section 4d0?

No they don't, if I am correct all they need to do is allow you to swap out the dll for your own and put a license.txt or what not with the license. As long as the DLL is setup as a shared library (which it is) it is fine.

The source code is necessary to create "your own".

Not always, but, practically.

Buried in that article is this very fun and creepy link:


Not sure I would ever trust any privacy claims from a company that stores this type of made-for-fingerprinting data.

Risky click disclosure: The GIF isn’t a GIF, it’s a JSON response containing full geo-location data on the requestor.

> Not sure I would ever trust any privacy claims from a company that stores this type of made-for-fingerprinting data.

Reminder that every resource you request from anywhere causes the server to be able to index all this info on you. Anyone doing anything where audience matters has a subscription to MaxMind GeoIP lookup, giving you all this info inline on every request. There is nothing special about this GIF except it shows you the info the server has.

If it bothers you, the idea of servers having all this info tying your requests together, you can switch on “Private Relay (Beta)” on MacOS and iOS, but note that the beta doesn’t play nice with a custom profile for DNS (it will look up once for filtering, and again for private relay).

> Risky click disclosure: The GIF isn’t a GIF, it’s a JSON response containing full geo-location data on the requestor.

For the curious (a click through a proxy): https://archive.is/51hnq

        "country":"United States",
        "isp":"G-Core Labs S.A.",
        "autonomousSystemOrg":"G-Core Labs S.A."

There is a principle I live by, that most people used to live by before we entered this strange neo-savage era: “just because you can, doesn’t mean you should.” I expect the same from the companies with which I do business.

The only rational thing to expect from a company is to aim to be profitable, I suppose

In the MoviePass (and lesser so, WeWork) era, I'm not sure those are rational expectations anymore either.

This is a pretty nihilistic view of capitalism and I think we can aim to be better.

FWIW I know plenty companies that try to be a good company and not just a profitable one.

Did we? I believe Oppenheimer was overruled on Hiroshima.

Note that iCloud Private Relay only applies to Safari, not other browsers or apps.

A VPN (ideally with “kill switch”) + encrypted DNS would do the same for all traffic from your machine.

I'm 100% sure that I don't trust any company who feels the need to hide their data collection mechanism as a gif (or anything else).

You do realise that web servers often store logs of all requests, right? Those log records include the requesting IP address, from which all this information is derived.

looks like geoIP database - for me it gives almost same data as https://www.ip2location.com/demo/

It doesn't seem to be. MWB's location for me is much more accurate, I'm thinking Google?

For me it's more accurate (in the correct state) but still off by a lot (several towns over)

For me it returns the same result as Cloudflare, and they are using Maxmind

How does anyone ever find such things in sea of minimized JS?

The network tab in the browser's dev tools will show you all of the resources loaded, including shady fake gifs

that is a really handy gif.

Mozilla also offers a white-label version of Mullvad VPN, while subtly implying that they operate the VPN themselves: “A Virtual Private Network from the makers of Firefox.”

The entire point of white labeling is to act like you provide it. They pay for the right to say the VPN is from them. You're buying it from them not Mullvad. It is from them. They aren't saying a VPN network operated by the makers for Firefox.

I like it.

I can support Mozilla and use Mullvad at the same time. It wasn't a mystery who was running the underlying service to me, that was actually a selling point.

Though they could make the connection more explicit, their "servers" link on the Mozilla VPN homepage is a link to Mullvad. And presumably it isn't violating any licenses.

That's true, though they did write their own client UIs.

Why Mozilla doesn't host their own WireGuard-based VPNs? Could be a good way to lure users.

Running a VPN service is not a simple operation. I assume Mozilla simply did not want to maintain their own infrastructure.

Apart from all the legal trouble like dealing with copyright violations (DMCA emails), law enforcement requests etc. it is also increasingly difficult for the VPN providers to circumvent VPN detection services (like https://focsec.com). Netflix, Spotify and others are investing heavily into VPN detection technology, so it is a constant cat and mouse game, they always need to bring up new locations.

> Netflix, Spotify and others are investing heavily into VPN detection technology

I never understood why. It seems to me that only effect of this "investing" is surge in piracy.

I assume the push comes from the original license holders of the content, wanting to bargain effectively with multiple parties region by region around the world.

Back in the day Netflix really didnt seem to care about region blocking beyond the most basic check, and why would they - you pay your subs and you get content.

Being able to get more content by proxying to say the US etc actually got them more subscribers not less.

Why can't they do region locking based on the billing address of the credit/debit card used to pay for their services?

Travel. Content is licensed to geographic areas, not people/billing areas.

Which is utterly, brainlessly, grubbily stupid as a facet of modern digital content streaming. Aside from being absurd in principle, will large numbers of people suddenly migrate to another country so they can use its Netflix selection? Probably not.

I understand the legal _why_, but legal stuff is maleable, much like most things that people have created.

> but legal stuff is maleable

... but I don't think Disney is.

(And yes, Disney+ is technically only available outside of Asia - while some services inside of Asia is branded Disney+, they are not even the same system at all!)

My guess would be that they are required to enforce geoblocking as part of their licensing agreements with the studios.

Yep, Mozilla does not have VPN infrastructure money. They're happy if they have enough money to develop Firefox.

Of course they could afford it, but would it be good use of money? I kind of doubt a Mozilla-hosted VPN would be much more popular than the Mullvad-based one, and them partnering companies that do a good job instead of competing sounds like not a bad thing.

What makes you so sure they could afford it? How much does it cost to set up an independent global VPN service?

Not sure about exact numbers, but e.g. Mullvad appears to have less than 25 employees, some of which are going to be administrative overhead Mozilla already covers for the entire company, so lets say ~20 people on the product (including support etc)? Even a now downsized Mozilla has to be able to dedicate 20 people to an attempt to make money. And that is probably not as small as you could do it if you had to.

Don’t VPNs have a very large number of servers all over the world? That must cost a ton of money and make it hard for new players to enter the market without a significant investment. I’m not sure Mozilla can spare such an investment right now.

Because they drank the evil corporate Kool aid years ago; it's cheaper and easier just to misappropriate someone else's service.

How are they misappropriating anything?

Well, by virtue of what the GP comment said:

> Mozilla also offers a white-label version of Mullvad VPN, while subtly implying that they operate the VPN themselves: “A Virtual Private Network from the makers of Firefox.”

Maybe 'misappropriate' is a bit of a stretch, and certainly the rest of the language in the above comment is tiresomely partisan, but it's not hard to see what they meant.

Just tested the Mullvad VPN using IP2Proxy, a VPN detection service. It looks like Mozilla VPN could not bypass detection easily.

> Techradar even said "This could be the most secure VPN around today".

This quote is very telling of journalism today. Many internet publications and YouTube videos are just listcle machines and company marketing hype generators with very little actual investigative work.

“could be” is doing a lot of work there.

Isn't it known already that a lot of tech journalists on YouTube don't do much besides read a spec sheet while standing in front of a nice background, playing with cool camera gear?

Even mainstream channels that I consider decent like LinusTechTips very often stretch something that could be said in 2:30 minutes into a 10+ minute long video, making me feel like I'm wasting my time when I could read a few different articles in that same timespan and be better informed.

Not to mention the typical bullshit overselling of the capabilities of a VPN, while realistically for the average user the most useful thing about a VPN is being able to watch region locked content and torrent movies without getting a letter from their ISP. For any serious need for privacy using something like the Tor network is the best choice.

If you don't want to pay for journalism it dies.

From what I have read, Mullvad is universally liked. I'm curious if there are any critics?

I like them a lot and I think their stack is extremely solid. I would like for the client to be easier to update, e.g. via a signed OTA.

Disclaimer: I contributed to Wireguard but already liked Mullvad before they included Wireguard.

Some criticism I've seen:

- Speed isn't always the fastest

- Desktop application isn't as polished

- Fewer countries supported

- Popular streaming services block it easily

- The account system might be confusing to newcomers

White these concerns are fair, I still think it's better than the competition.

Stores like Best Buy and Target will cancel your orders (without telling you why) if you make purchases using Mullvad's VPN.

Rarely I'll come across 403 errors. Usually when I do, it's another online store.

> Popular streaming services block it easily

This is a feature. Some VPN providers resort to routing through residential IPs to unblock streaming services.

This is the only use case I personally need from a VPN. Accessing US or UK Netflix and such because of geolocking.

My credit card had a bunch of fraudulent charges ~30 minutes after I ordered. Obviously that could just be a coincidence, but it seems strange.

But they are a pretty awesome service. I will just pay with crypto next time I guess.

The few interactions I had with Malwarebytes, including off-record conversations with their engineers at Defcon, have all left me with a bad feeling about the company and their definition of quality and security. I’m not surprised, bit still disappointed.

Mullvad really shouldn't partner with companies like this.

Malwarebytes used to be well regarded anti-malware software.

Are they shady now?

If you want to run their on-demand scanner you need to install a root level program that auto runs every time you turn on the computer.

It installs a half dozen always-on background processes, even on Mac. These processes are constantly phoning home [with an obfuscated payload].

I have written to them to ask why a on demand scanner is doing this and got no response.

I suspect that they have are highly regarded mostly because of good marketing.

By the way, they call themselves "Malware Bytes". History says that when someone tells you they have nefarious intentions, you should believe them.

However, none of that is related to this article, which is just them using some open source software without bothering to keep the license requirements.

> If you want to run their on-demand scanner you need to install a root level program that auto runs every time you turn on the computer.

To be fair, that's likely going to be a requirement to detect any malware that actively hides itself.

At most let it run once on the next boot cycle. Why every time after that?

Pretty much every anti-malware company is seen as shady by me.

Not at all, Mullvad is an outstanding VPN and one of the few that supports IPv6, and it's completely normal to re-brand existing technology. Even in that particular business it's very common: Many antivirus vendors use 3rd party antivirus scanners and databases instead of their own.

My only concern is that they discontinued their Chameleon project which allowed you to potentially run Malwarebytes on an extremely compromised machine, one with malware that actively tried to block and break anti-virus scanners[0]. Now you have to use the full MB application all while it doesn't allow single-run usage.

0: https://blog.malwarebytes.com/malwarebytes-news/2012/12/cham...

I really wish I could get a clear answer on this as well (for their anti-malware service, as I'm not particularly concerned with them white-labeling the same VPN service that Firefox white-labels).

It's explained in the article.

Not really, the article just discussed that they are fingerprinting and collecting data in these instances.

I also want to know if there is more to the story.

So you don't consider falsely claiming VPN tech as your own while also including a tracking gif on every page "shadey"? Guess we have different definitions...

Seems no different than Costco's Kirkland Signature brand. Private labeling something as your own that is made by someone else (and not disclosing who) is not really a new concept.

My Kirkland Signature Brand hotdogs don't include an embedded tracking device.

It wasn't just the fingerprinting and data collection that was mentioned. There were also out-of-date dependencies with known vulnerabilities. Also, their un-audited kernel driver.

What confuses me is how the two major resellers have different pricing models. The plans aren't exactly the same, but broadly speaking Mozilla is more expensive than Mullvad and Malwarebytes is cheaper than Mullvad. They both launched in the same year. I'd love to know if they have the same commercial arrangement. Or if, for example, Malwarebytes treats it as a loss leader.

Pure vpn has also launched its white label vpn service. Check this https://www.purevpn.com/white-label/

Malwarebytes hasn't been a useful tool since Windows 10 built in most of it's beneficial functionality. The company seems to be trying "creative" monetization rather than innovation.

I like mullvad. But I don't trust m247, most locations, which has a questionable rep. People over look this every single time

Controversial opinion: You don't use a VPN for privacy.

Without a VPN or other proxy, how would you keep people from tracking you by IP?

Is your IP really the thing that is compromising your identity?

Using a VPN adds an additional potentially untrustworthy third party in a privileged position to monitor your activity. Do the benefits outweigh that cost?

Don't get on the internet.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact