This is really cool, you'd expect any VPN provider that cares about security and transparency to act like Mullvad. Some pour thousands of dollars into forcing influencers to say they care about security, while others focus on actually improving security.<p>And it's all open source btw. <a href="https://github.com/system-transparency/stboot">https://github.com/system-transparency/stboot</a>
Not to provoke predictable responses, but I find it interesting that the tech-talented VPN providers are not using BSD in favor of Linux, especially with requirements like diskless operation, kernel customization, and tighter security.
I wonder about those VPNs that say "we don't log or store anything". That may be the case, but they probably just send a continuous stream of data to the law enforcement / intelligence services or whoever instead of storing it themselves. They can then correctly say "WE don't log".
One thing that I always wondered from VPNs.<p>Let's say a pedophile uses Mullvad to get forbidden images, isn't the VPN liable?<p>I mean, the law enforcement will see that the IP was from Mullvad's office, so I assume they are the ones doing it? How do they avoid this?<p>It is a real doubt. Maybe stupid, but real.
"They" will just spray the machines with liquid nitrogen, pull them out of the rack, put the DRAM in a thermos w/ LN2 and read the data at their leisure.<p><a href="https://ieeexplore.ieee.org/document/8388826" rel="nofollow noreferrer">https://ieeexplore.ieee.org/document/8388826</a>
Still doesn’t protect you against hardware based backdoors, or other types of backdoors like memory injection or supply chain, to get data on the fly<p>> When servers are rebooted or provisioned for the first time, we can be safe in the knowledge that we get a freshly built kernel<p>Any info what’s the period of time doing so? Do you provision them every day, week? An hour maybe? The more the period the less chance of some attack vectors.
In north america and europe, VPN are required by law to keep logs of your use of vpn (site you visit, inscription email,...) for 1 or 2 years.<p>Most VPN company advertise they do not keep logs of your browsing...<p>Which would be in infraction with european and american laws.<p>So I don't what to think of diskless VPN.
> freshly built kernel, no traces of any log files, and a fully patched OS<p>Wouldn't using a disk in read-only mode accomplish the same thing?
> All of our VPN servers continue to use our custom and extensively slimmed down Linux kernel, where we follow the mainline branch of kernel development.<p>The custom server is a niche security point. While every server is continously researched and patched, we cannot expect the same from a a server like this. If someone were to find a security hole, an attacker would purchase it and no one else would ever know the system was compromised.
Nice work!<p>But, if anything should be a decentralized anonymous crypto-paid service, it should be a VPN network.<p>Centralized VPNs are still a single point of failure privacy risk. We have to trust they don't share our identity/account info and activity.<p>I am surprised dVPNs are not THE first rationale given for crypto. I.e. since separately and together they (ideally) have a clear comparative advantage over other alternatives for strong privacy.<p>A performant global open-standard dVPN could become an indispensable layer of web access.