upvote

points

by illiac7866 hours ago |
comments
upvoteby overfeed6 hours ago|
[-]
> It does significantly lower the bars for identifying you though, but the requirements are still high

If you squint a bit, it looks a lot like a "Nobody But US" (NOBUS[1]) scheme. A few more identifying bits could tip the scale for party that has a whole host of other bits on a list of suspects, without being useful to most other people.

1. https://en.wikipedia.org/wiki/NOBUS

reply
upvoteby linkregister5 hours ago|
parent|
next
[-]
Then why complicate it by being publicly insecure? If Mullvad were wanting to defeat anonymity, they could simply log the traffic metadata while falsely advertising they aren't.

Their ads on San Francisco's public transit are good.

reply
upvoteby hackinthebochs5 hours ago|
parent|
next
[-]
Good VPNs tout the fact that they had nothing to give in response to a subpoena, or that there was nothing a law enforcement agency to find when they seized a server. For mullvad to be effective as a honey pot it needs to survive these events with its reputation in tact.
reply
upvoteby MuteXR4 hours ago|
parent|
[-]
If it were a true honeypot by a state agency, they'd be able to just lie about having nothing too.
reply
upvoteby hackinthebochs2 hours ago|
parent|
[-]
Not when people get arrested and the investigative techniques, sources, etc are made public. They would have to intervene in the legal process to make sure mullvad's role was kept secret. Presumably this isn't always feasible across jurisdictions.
reply
upvoteby raverbashing5 hours ago|
parent|
prev|
[-]
"public insecure" JFC

Security is always a balance. Always

AI is showing that everything has a weak spot (wondering where are the "I don't make mistakes with C" now people are - but that's for another discussion)

There's another commenter mentioning this makes sense because exactly it avoids them keeping information on which customer is matched to which server. You know, one of the things you don't want to log

Could it be done better? Probably.

Here's a better idea, logging off is 100% safe

Meanwhile 99% of the normies will go for NordVPN

reply
upvoteby illiac7866 hours ago|
parent|
prev|
[-]
You definitely need glasses then.

Let me specify: The user must have entered his data on one site which the attacker has control of. That is a high bar still.

reply
upvoteby UqWBcuFx6NV4r5 hours ago|
parent|
[-]
it really isn’t.
reply
upvoteby illiac7865 hours ago|
parent|
[-]
Examples?
reply
upvoteby overfeed2 hours ago|
parent|
[-]
IP addresses are metadata - and don't require search warrants, meaning they are fair game for dragnet surveillance. Tapping into a backbone, a la Room 641A, can be used to cross-reference timestamped public posts on an anonymous message board to other data sources (e.g. subpoena Netflix for payer based of Netflix's access logs from VPN exit IPs)
reply