Even if you have encrypted your traffic with a VPN (or the Tor Network), advanced traffic analysis is a growing threat against your privacy. Therefore, we now introduce DAITA.
Through constant packet sizes, random background traffic and data pattern distortion we are taking the first step in our battle against sophisticated traffic analysis.
The Chinese Great Firewall (GFW) has already been using machine learning to detect “illegal” traffics. The arms race is moving towards the Cyberpunk world where AIs are battling against an AI firewall.
Careful criticizing China you will awake the Tankies.
Drums, drums in the deep …
You can conviniently block a whole instance from your account now, it reduces this kind of disagreement a lot.
Should you though?
I get it, it’s annoying, but the entire “let’s block people with opinions I don’t like” is probably the single source of pillerization and increased extremism on the internet.
If I’m not allowed to have a discussion or disagreement with you, and get kicked out instead, I’ll just go to places where they will talk with me and where it’s chock full of other idiots like me who are much more extreme and in our safety bubble we can all continue not beat the same dead horse and circle jerk and make eachother more extreme because there are no dissenting voices, there are no voices or reason and calm, there are no cooler heads around.
This entire moderation where we simply started dumping people with who we disagree has made the world a.much, much worse place.
Granted, it sucks to have to deal with crazies and extremists, but at least whilst they’re in the group we can all keep them grounded in reality.
If I’m not allowed to have a discussion or disagreement with you, and get kicked out instead, I’ll just go to places where they will talk with me
I actually tried to, and if it was possible to have rational and polite discussion, without straw man arguments, dog pilling, personal attacks and finally threats of violence, I would have continued to try. But sadly all of this happen, multiple times.
At some points I considered leaving Lemmy, thinking that this federation as a whole was not safe for debating. But then I started understanding patterns, either it was from the users from a specific instance, or it was communities from a specific instance that turned like that. Overall the pattern seem to be that if the instance mentions extreme political ideologies in its description or if the profiles of its admins do, then debating is not possible.
If they want to stay connected to people to avoid the circle jerk, they have to work on themselves too (ex: learning to debate politely), you can’t except us to absorb all the damages to help them avoid radicalization. It’s like walking towards a terrorist group with flowers while they are shooting around and expecting them to be inspired by your pacifism.
I do enjoy debating and questioning my own beliefs, but I am not on Lemmy to consume my mental health, so I need to take some actions to protect it.
not safe debating
Sorry, just to comment on this one: I really dislike that phrase, its use is part of the reason why we are where we are. You ARE safe, all the time. It’s not like you talking in a lemmy instance puts you at risk of being shot in the head.
You may encounter assholes, and opinions that you don’t like but that doesn’t make you unsafe. Uncomfortable, mayby, for having to read information you oppose?
A black man driving and stopped by US police can claim he feels not safe. We lemmies are perfectly fine. I think many people need to grow a little thicker skin in that regard.
Uncomfortable, mayby, for having to read information you oppose?
dog pilling, personal attacks and finally threats of violence […] I am not on Lemmy to consume my mental health
Not all violence is physical.
I think many people need to grow a little thicker skin in that regard.
Are you blaming me for not having a tick enough skin instead of blaming the behavior of attackers? Please reconsider that thought.
I’m not on the internet or lemmy to make the world a better place, I’m on here to kill time/enjoy myself/learn some things. I dont have the mental space to deal extremists, and particularly extremists that have a world view thats incompatible with itself if taken at face value, and I certainly dont have anything valid that I can learn from tankies, and as such, my block list has gotten quite large, and my general mood has increased because of it
This is my thinking for using .world. I don’t get all my news or interaction from Lemmy or the internet as a whole, and Lemmy is small enough that it has an almost zero impact on broader society. I respect those who try, but if my internet experience was antagonistic or frustrating I’d probably just stop using it.
I also feel that conversations of that nature are best had in person, where there’s a higher chance of changing minds. I’ve no proof but it feels like internet discussions are taken less seriously and thus merely end before any opinion changing can occur.
You also have far less info on internet conversion on whether or not its being had in good faith, which is an extra hurdle on opinion change
I “blocked” hexbear, because a mod didn’t take the time to use their brain, labeled me a “pedophile apologist” and banned me from the entire instance. If they moderate based on “I don’t care what actually happened, I’m mad” then I’m not going to bother interacting with them.
Hexbear mods are paid to spread propaganda, not use their brain, two fairly exclusive activities.
This operates under the assumption that there are good decent people on every instance, but instances like Hexbear and Lemmy.ml are inherently corrupt and run by people who want to sow misinformation and chaos to negatively impact western powers. I’m not saying the whole thing is a Chinese operation, but if it were then it would be run exactly the same way it is now.
I don’t think your whole thought process differs from a tankie. They think the same in a “my team is better, other one is sowing misinformation” way.
Lmao, Tribalism is certainly a problem with our society, but ignorance of people clearly acting against your interests is no solution.
I was planning to, but ultimately didn’t. I have handed out personal blocks to obvious trolls and a brunch of hexbear users that spammed gifs in every single thread though.
Not even grad? Wow.
Nope. I have filtered both grad and hexbear out of my feed though, I don’t need their shit there. And don’t forget that many instances already are defederated with them, so there’s also fewer of them through that!
Yeah, I don’t block instances, just individuals that have proven to not act in good faith. I try to expose myself to as many diverse opinions as possible, but know if the people holding those opinions can back it up with facts, or are at least willing to consider the possibility that they’re wrong, and I try my best to do the same.
Problem I see with this is that a lot of “I block people who act in bad faith” have hair triggers when it comes to what they consider bad faith. I see their comments all over the place where its a disagreement and 6 comments in they’re claiming the other person is acting in bad faith and they’re blocking them
Yeah, that certainly happens.
I personally have only blocked like 2 users. It takes a lot for me to do it.
I very well get what you’re saying but a lot of people don’t understand the difference between “has a valid opinion I disagree with” and “is a flame troll LLM” and just block anyone with an opinion they don’t like, loudly proclaiming"you are a bad fatig actor!"
I think it really made the entire world a worse place to be in, everyone is in their own echo chambers now, nice and safely shielded from scary opinions that don’t align with their warped world view.
Yup, and I don’t know the solution here, but I’m honestly giving it a solid try. I intentionally place myself in online groups where people disagree with me to hopefully learn something from them and challenge their own preconceptions. I’m working on a ranking algorithm that should help highlight insightful content based on a web of trust (trick is to trust people who vote based on constructiveness, not agreement).
People point to media companies and politicians for the reason we’re so divided these days, but really that finger should be pointed back at us, the people. Those politicians wouldn’t be in power and media companies wouldn’t optimize for divergent opinions if we vote them in and reward them.
I don’t know the solution here, but I try to do my part. I live in a very conservative area, have libertarian views, and spend my time on leftist social media. I just hope it all balances out in the end.
Being able to block what you want is great, having other people decide what to block for you is not.
blocked
Exhibit a
Because engaging in discussion with certain groups, does nothing but legitimize and amplify their messages of hatred and bigotry you fucking genius.
You don’t engage in polite discussion with people that want you dead, that want to seize power and implement fascist authoritarianism, and who want to purge the “impure”.
How you deal with it is by aggressively reacting to and putting down their bullshit, and denying them platforms which to spread their messages and hatred.
People like you, who want to wring your hands and play nice and polite with nazis and their ilk, are doing nothing but pushing their agenda for them. People like you are nothing but collaborators, and people like you will end up on the wrong side of the stick alongside everyone else once you’ve outlived your usefulness.
I eagerly await your reply of “oh well that just means you’re intolerant and that makes you worse than the (insert authoritarian flavor of choice) that i want to politely talk with!”
I didn’t vote on your post, but want to say that you’re not going to convince many people with an antagonistic approach.
Well thats a condemnation of yourself, then. Not of me.
Cause if you cant see what engagement, and by extention, legitimization of their points due to that engagement, has done by this point… Then honestly you’re either blind and ignorant, or one of their agents trying to open the door with a soft approach…and I will always be antagonistic to them. If you find offense to that, then you just reveal that you’re on the wrong side of that line.
“let’s block people with opinions I don’t like”
I don’t think a lot of them are actually people, but rather LLMs. Also, does it count as “people with opinions” when it’s shills paid to spread authoritarian propaganda?
I do agree we should limit personal blocking, but that’s because we need to collectively manage the Fediverse. There’s no budget for countering misinformation campaigns, just us.
Instances blocking propaganda instances, on the other hand, is fantastic. It’s what we need for the Fediverse to survive instead of going the way of Voat and other extremist communities.
While LLMs have become a problem recently, this problem existed since way before that
deleted by creator
Instance blocking is dependent on client implementation, as it isn’t provided by lemmy itself.
edit: no longer the case
deleted by creator
Huh, neat
I think you are correct, but not having the opportunity to participate in a thread on those instances because you can’t see them anymore is part of the ways to avoid troubles.
Okay, which instances should I block to get rid of the tankies?
Lemmy.ml, lemmygrad.ml, and Hexbear.
Lemmygrad and Hexbear are the most obvious ones, sadly lemmy.ml is also part of them in my experience despite not being obvious about it (you have to check the admins and mods profile to see the link) and having some good content when it’s not about politics such as tech. There may also be some defederated by my home instance admins that I may not be aware of.
One day those tankies people here keep talking about are going to show up.
One day.
I always check under my bed each night to make sure there’s no tankies.
After I blocked hexbear and similar instances I haven’t scene them which is nice. Occasionally I’ll see a Lemmy world one but that is pretty rare.
I’d say they are more common on Lemmy.ml than Lemmy.world
Lemmy.world has many tankies. You keep seeing them pretend israel is not committing Genocide and America needs to kill all student protesters Tiannenmen style. They are also called liberals
Lemmy.ml does not have many tankies.
This is some top level spin here.
no u!!!
Muh historical nihilism
mental illness
Lemmy.ml was originally only federated with Lemmygrad.ml, so most people who stayed around in those days were quasitankie themselves
Yup. I generally avoid communities on lemmy.ml and I’m much happier for it. I used to sub to several because that was the biggest instance, but now other instances (this one, mine, and some others) are big enough to replace the stuff I don’t like there.
I don’t like that the community is divided like this, but it’s more pleasant I suppose.
I think our instance defederated with hexbear.
HI WINNIE POOH! How have you been, have you had your daily dose of honey yet?
I have some first hand experience with this. Brand new XMPP server, never before seen by anyone in the world, blocked within about 12 hours. Wireguard VPN on AWS lasts for a few hours on some networks, more on others. Never longer than a few days though.
From China?
I was there in 2017 or 2018 and set up a Shadowsocks server before I went with whatever the latest mitigations were that I could find at the time. My server wasn’t completely blocked, but ended up getting throttled to hell after a few days.
That’s one of the reasons why I love Mullvad, they actually care about their customers, not just about their bottom line
I wonder how much of a bottom line they actually have given how cheap their service is.
Mullvad is 5 bucks a month and never has promos.
Weigh that against Nord which often has a year for like 15 bucks…
But Mullvad is one of the few that actually seems to care about privacy.
Oh wow, I had no idea Nord could go that cheap. To me €5 a month felt really inexpensive.
I feel like every week someone on Lemmy says they would use mullvad except it’s too expensive. It’s refreshing to see somebody say oh yeah that’s fine.
€5 a month for a VPN is expensive compared to others? I always saw Mullvad as one of the least expensive options other than like protonvpn and very few other open source ones. Most VPNs are hella expensive
Personally I use Mullvad because it’s simple, very usable, open-source, and I can trust it the most (not to say some of the other open-source privacy-oriented options aren’t trustable). Ever since I got into programming, I’ve only ever used completely open-source options when I had the chance – if it’s not open source, I won’t use it. I make very few exceptions, like for games, because open source isn’t as successful there for the most part
I suppose it’s all a matter of perspective. When put next to a lot of other subscription services (like Netflix 😩) it’s pretty cheap. Compared to other VPNs maybe not so much? I’ve honestly never looked at a VPN-only service before, like Nord etc. as VPNs have never been something I’ve prioritised.
Still, knowing what little I know about Mullvad, €5 a month for a VPN that prioritises privacy seems fair to me. Again, it’s less than any of the streaming services and if privacy is important then it seems a fair price to pay.
I think with all things globally, we apply an intrinsic sliding scale. Down to how many hours of labor that represents for us. So if $5 is a few minutes of labor fine. But if it’s 5 hours of labor then people are less likely to jump on it.
Oh yes, absolutely. I am privileged to be middle-class (which I can appreciate even more as I grew up a povvo bitch) in Sweden where €5 while not nothing (for me in my economic situation) is a reasonable expense for an interest. I could rent a film for that money, or take the bus to the nearby town. I also happen to know people for whom €5 is a significant sum of money, so like previously said it depends entirely on your perspective.
I’m pretty sure they are profitable, considering they were founded in March of 2009. You can’t really run a company without profits for 14 years, right? Just routing network traffic isn’t that expensive after all. They are the only ones being honest about it, other VPNs charge way more because they only want to extract money from their customers.
Cheers. Network related stuff isn’t my forte so I really have no idea about the costs. I just figured that the moment you start adding a decent amount of users the costs will go up, and €5 seems like a really fair price.
It’s actually the other way around, the more users you have the cheaper everything eventually becomes
Economy of scale?
Yes, there’s no reason this wouldn’t apply to a VPN provider. It’s also the reason NordVPN or Surfshark is so incredibly cheap.
They have lots of users -> They can pay lots of money for advertising -> They get more users -> Everything becomes cheaper -> They can pay more for advertising
You get the point
If only they didn’t bend the knee to the five eyes and drop port forwarding
They got rid of port forwarding to improve the reputation of their IP ranges. That makes it less likely for Mullvad users to get blocked by CDNs like Cloudflare and Akamai when visiting websites. If you want port forwarding, just use AirVPN or rent a VPS and use that. Not sure what you’re talking about, but Mullvad is based in Sweden, which is not a part of the five eyes alliance. It’s a part of 14 eyes, but Sweden has very strong privacy laws, Mullvad even has an entire page about privacy legislation in Sweden: https://mullvad.net/en/help/swedish-legislation
They also have a page that explains how Sweden being part of the 14 eyes alliance doesn’t really affect Mullvad: https://mullvad.net/en/blog/5-9-or-14-eyes-your-vpn-actually-safe
Their office was also raided by prosecutors last year, and they weren’t able to seize any customer information, because Mullvad doesn’t store anything about their customers: https://mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised https://mullvad.net/en/blog/update-the-swedish-authorities-answered-our-protocol-request
you don’t even have a “real” user account with them ffs. I think if they really wanted to fuck people over they’d have introduced mandatory email linked to accounts long ago
Yup, and you can pay using crypto or cash if you want, and you’ll never need to let them know who you are, where you live, etc. All they care about is that your account number gets paid, and that’s it.
You could always tunnel a publicly routable IP address over your VPN… I.e. https://tunnelbroker.net/
5 eyes shit is dumb pop security anyway. As if the CIA can’t rent colo space in Kazakhstan and market you some extra spooky VPN.
Still waiting for Defense Against the AI Dark Arts to drop
DAIDA
?
Harry Potter reference.
And Dumbledore’s AIrmy for when they forbid DAAIDA as an anti-terrorist measure
I love these guys. Let’s see if somebody can just bootstrap the FOSS framework directly on TCP to work on the internet without a VPN. Fantastic project
Those words sound cool and mean literally nothing
Bootstrapping See the Application section specifically.
FOSS = Free/Open Source Software TCP = Transmission Control Protocol VPN = Virtual Private Network
These words mean a lot actually. Pretty basic terms when it comes to the internet.
That means the same as fossing the tcp so it bootstraps your privacy.
See I can sound like a bot too. Or a journo.
I think they meant the comment as a whole doesn’t really make sense, it’s a bunch of technical terms kind of shoved together. If you understand it can you explain what it means?
Yes, the individual words have meanings, as words tend to do. Those words, in that order, form a NCIS, two people typing on the same keyboard, level word salad that has so little real world relevance that it tips soundly into the absurd.
NCIS?
Here is an alternative Piped link(s):
https://piped.video/kl6rsi7BEtk?si=VK0Mn-Ld2mVW85ev
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
I’m afraid just generating random traffic from your IP address won’t do anything against traffic flow analysis. Because most internet traffic is point to point, people who are interested in the flow, just follow the traffic moving between various points. So if you’re sending extra traffic to other random sites, it doesn’t interfere with point-to-point flow analysis.
In the context of a VPN, because all of your traffic is encrypted, you have to work harder to determine what traffic is going where. Because all traffic is going from your network to another virtual network. So an outside observer just sees the size and frequency of traffic but not the destinations. In this context since they don’t see the destinations, it makes sense to add random traffic flows, because that’ll obscure the signal that the observers are looking for.
Considering that VPNs are Point-to-point too (home->VPN), I was wondering if one could use DAITA with TCP directly instead of having to use a VPN. Imagine if TCP had DAITA baked in.
Even if you baked in variable packet size into TCP. It would be trivial for anybody monitoring network flow, to see you who you’re talking to. There would be no ambiguity.
The only reason this makes sense for a VPN, is there’s a lot of traffic bundled together, so a third party doesn’t actually know where your traffic flow is going.
Consider the example if you ran your own personal VPN endpoint. So you were the only user on the VPN. Even with randomized traffic flow injected into your VPN connection, it would be trivial for any third party who’s monitoring traffic flow to know that traffic is yours. Because you’re the only VPN connection talking to the VPN server. This thought experiment applies when you don’t have a VPN at all.
If I were to send packets to a single entity over time, I’d have no use for DAITA. I agree with you on this.
However, let’s say that I run a bunch of VPN endpoints across VPSes, and the entity trying to track me doesn’t know about all of these IP ranges. I could be renting from a colo, the cloud and even a a bunch of friends who have their ports open. If I were to mix this in with my usual internet traffic, it becomes significantly harder for third-parties to figure out what I’m doing connecting to all of these different IPs. A state actor could put the resources behind it, but the average third-party will have a hard time with it. I can certainly see use-cases for it.
I think we’re mixing up vocabulary.
Every IP you talk to is visible to anybody monitoring your network. The sale of net flow data is commonly acknowledged by ISPs. So every computer you talk to is common knowledge for sale.
In your scenario, let’s say you have five VPN connections set up to go to five endpoints that you control. But if nobody else is using those same endpoints. Your net flow data still exposes exactly what you’re doing. There’s no ambiguity. Your traffic is plainly obvious to anybody observing the network. Even if those VPN connections are adding randomized traffic onto the links.
Except that I will not necessarily be connecting to the exact same IPs over time, just going to do so in specific ranges which the VPS/colo owns. There’s plenty of people who are going to be renting VPSes and will have their traffic originate from the same IP range as mine, which means that if everybody using TCP had their traffic anonymized like so, the third party wouldn’t actually know that MigratingToLemmy specifically was connecting to AWS at a certain time and from a certain location, so to speak. This hypothesis doesn’t include correlation through other data in the threat model. But it could definitely prevent correlation with traffic across locations, which is similar to what Mullvad states
I’m sorry no. This will not help you avoid flow analysis
Err… Like… a 2009 Java applet? Those were built straight on TCP. And the lack of security let anyone else in the same LAN cafe steal your password.
The closest thing I can think of that goes for the vibe you’re talking about is I2P
No port forwarding really kills the utility though - I mainly use the VPN to do port forwarding (e.g. for video games, Plex, etc.) as my ISP is shit.
Like I’m not worried about state-level de-anonymisation, I just want to be able to share services remotely and have a minimum level of anonymity.
Port forwarding removed because hosting threatened to kick mullvad out. Lot of shit hosted through that. No hosting, no vpn, so needed to remove to continue operate.
Port forwarding means torrents. People using a VPN to torrent likely have much more traffic, especially those that seed (which is why they want port forwarding). Not enabling port forwarding means mullvlad can operate at a higher profit to cost ratio, and less risk.
That’s what mullvlad say. It’s not necessarily the reason why they don’t offer port forwarding.
It was always possible for them to continue allowing port forwarding. They could use separate servers for those that want port forwarding, stopping any impact port forwarding had on those customers.
Hum… this was one of the original reasons I signed up with them. I totally missed them dropping support. I’m not mad about it because I don’t torrent much anymore, but it’s still a pretty lame excuse.
I want all my services supporting maximum fuckery at all times as a matter of general principle.
Any alternatives that you know of?
Torrenting works fine with Mullvad in my personal experience, and will pretty much up to my current ISP speed limits (which is 200Mbps download).
Can’t really guarantee you that it will be as good if you’re hosting your own seedbox over their VPN (then again if you’re doing that you should probably pay for a proper seedbox hosted elsewhere) but if you’ve downloade something and the just leave it seeding, it seems fine.
I can’t honestly say I’ve ever had much trouble with it either. No trouble receiving files at least… there wasn’t much outbound traffic, but that could just have been a lack of interest :-)
I’m happy with Mulvad’s service and now that the initial shock and indignation is wearing off I’ll probably stick with them.
Besides I read about their new traffic obfuscation and I’ve got to give that a try. We need proactive innovation like that, now more than ever.
I personally like AirVPN. Pretty good speeds depending on the server. You can port forward and have up to 5 devices connected simultaneously. Make sure you’re using the Wireguard protocol.
Only issue is that Eddie (their GUI) kinda sucks. Works okay on Linux, and probably same on Windows. The Android one just really sucks.
I personally just download the wireguard configs to use.
Thanks for the tip, I’ll check them out.
ProtonVPN has it, and Wireguard support.
Thank you. It’s good to know I have a few options.
You should be using a seedbox to torrent in this age. Let the company run their business, if they don’t want to be a part of the group that allows torrents, so be it.
If so easy to fix issue, why not make company and fix it?
There are plenty of other options in the market, including ones with port forwarding. It’s a very saturated market.
That sounds strange given that Mullvad works fine for torrenting in my personal experience and even up to quite a good speed (it can use the full 200Mbps download speed from my ISP)
Also modern NAT will do deep packet inspection on common well known protocols to automatically adjust the port of your machine listed on any “here I am” protocol messages being sent out from your side to be an actual port on the VPN Router and to have an internal association of that port in the Router with the actual port in your machine so that connections of that port can be sent to your own machine and the actual port in it that are used.
It’s only the pure listenner services (such as webservers and e-mail servers) were the port is pre-defined by convention and not a variable one sent out on any “here I am message” that require explicitly configured port-forwarding on the VPN Router side, plus because the port is fixed by convention for each type of service (such as port 25 for SMTP and port 80 for HTTP), off all the clients connected by VPN to that VPN Router at any one time, only 1 will be able to get that specific port.
You need port forwarding to connect on torrents. Your able to torrent because everyone you torrent from has port forwarding enabled. If you want to access more seeders, and more commonly leechers you need port forwarding. This is useful for people using private trackers that want to maintain a ratio.
I can download at the maximum rate my ISP supports and I can seed after downloading (probably only to those clients which my own client has connected to).
However I cannot seed in a brand new session during which I did not download that specific torrent (as I just tested).
I expect this is because, as I explained, the NAT implementation actually tracks which IP addresses your client connected to and through which VPN Router port that went so that subsequent connections from those IPs to that port get sent to the right port in your own machine, but it doesn’t support uPNP/NAT-PMP port forwarding so the bitttorrent client cannot configure on that VPN Router a static port-forwarding so that it can listen for connections from any random client.
So if I understand it correctly it totally screws self-hosted seedboxes and if you want to give back to the community you have leave it seeding immediatelly after downloading and it’s not going to be seeding anywhere as fast since its limited to peers connected to during the dowload stage.
ProtonVPN has it though, which is what I’m using now.
How does port forwarding help with videogames?
Opens up your NAT for matchmaking
I host a server, I forward the port, my friends can connect to the open port on the VPN side.
My ISP does not offer port forwarding.
Someone else pointed out Tailscale; I’ve had luck with free tier VPS+WireGuard.
I have an Oracle one which has worked well. Downside is I did link my CC, because my account was getting deactivated due to inactivity (even using it as a VPN and nginx proxy for my self hosting wasn’t enough to keep it “active”). But I stay below the free allowance, so it doesn’t cost.
That said: as far as anonymity goes, it’s not the right tool. And I fully appreciate the irony of trying to self-host to get away from large corporations owning my data…and relying on Oracle to do so. But you can get a static IP and VPS for free, so that’s something.
Alternative maybe i2p or tor network. Or make vpn to anon vps and host from there.
Zerotier could also work for you
You can use Tailscale for this
How about defense against dhcp option 121 changing the routing table and decloaking all VPN traffic even with your kill switch on? They got a plan for that yet? Just found this today.
I doubt it would matter in some environments at all.
As an example a pc managed by a domain controller that can modify firewall rules and dhcp/dns options via group policy. At that point firewall rules can be modified.
Don’t you control your dhcp server?
The Option 121 attack is a concern on networks where you don’t.
Exactly where you’d want a VPN. Cafes, hotels, etc.
True that. Hadn’t thought of that as it’s not my typical VPN use case.
I’m not sure what a VPN provider could do about that though, they don’t control the operating system’s networking stack. If the user or an outside process that the user decides to trust (i.e. a dhcp server) adds its own network routes, the OS will follow it and route traffic outside of the tunnel.
The defenses I see against it are:
- Run the VPN and everything that needs to go through the VPN in a virtualized, non-bridged environment so it’s unaffected by the routing table.
- Put a NAT-ing device in between your computer and the network you want to use
- Modify the DHCP client so that option 121 is rejected
Edit: thinking about it some more, on Linux at least the VPN client could add some iptables rules that block traffic going through any other interface than the tunnel device (i.e. if it’s not through tun0 or wg0, drop it). Network routes can’t bypass iptables rules, so that should work. It will have the side effect that the VPN connection will appear not to work if someone is using the option 121 trick though, but at least you would know something funny was happening.
Of course but you don’t control rogue dhcp servers some asshat might plug in anywhere else that isn’t your network
Love they called the defence framework “Maybenot”.
I swear the defense against the dark arts teacher just keeps getting weirder and weirder.
I can tell you that this exists way before AI, I wish that there was more awareness earlier but it’s good that now its starting
So it’s like a VPN-busta-busta?
What if they have a VPN-busta-busta-busta though?
Then we have to wait til they drop the legendary VPN-quad-busta
I use Mullvad really good, love how they don’t care who you are and can actually maintain complete anonymity even in payment.
Propably going to be banned soon for some stupid reason if gets popular, like free speech is allowing the terrorists make bears cry or something.
Windscribe had something similar already? Not exactly this, but they had a feature to add other random traffic to your network specifically to work against systems like these.
So… Tor?
Not just tor. Tor plus random traffic.
Let’s say across your VPN you always sent one megabyte per second of traffic even if you had nothing to say. And then everybody connected to the VPN endpoint did the same thing. Then it gets very difficult to actually follow the traffic flows of the encrypted packets. You don’t see a large chunk of data passing through the network
Tor does this to and is much better than a VPN
It does not generate random traffic on your link to Tor.
No but people generate random traffic
The point is that for a state actor which can watch (or at least buy detailed traffic data for) both ends, a certain pattern of packets happenning from your side to a known Tor entry node and the exact same pattern between a specific server being watched and a known Tor exit node on the other side will indicate that it’s your machine connecting to that end server, the more such patterns spotted the higher the level of confidence.
This is quite independent of how much your data is mixed with other data inside the Tor network and how many nodes it has been routed around, because this kind of analysis doesn’t care about the IP address your machine is sending requests to or the IP address the watched server is receiving request from, it only cares about your pattern of data requests and responses matching that server’s pattern of received requests and returned responses.
Whatever protocol is in the middle is wholly irrelevant. At best if the website is heavilly used and you’re lucky, the specific end node (be it the router on the other side of your VPN connection or the exit node of your Tor connection) sending your requests to that server might have other users also sending requests to that server hence you’re all disguising each other’s pattern, but this is to do with popularity of the service more than the protocol itself being good at defeating this kind of analysis.
Edit
This is not entirelly true - if the protocol changes the exit node between requests to the server then it can disguise your pattern. However given that changing the IP address from were the request comes breaks all the keep-alive performance optimizations in HTTP since v1.1, performance would be horrible at least for web browsing in modern websites (which have tons of additional content associated with a typical webpage).
/Edit
It’s all there in the Mullvad post (so you need to actually read it) and it helps if you have a background in IT Security and Cryptography since there are kinds of attack using similar mathematical principles in other areas (such as the statistical analysis of unchained symetrical encryption protocols to derive the text from the encrypted text based on the probability of the words and letters occuring in a specific pattern or the power consumption analysis of cryptographic microchips such as those in smartcards to derive the encryption keys based on the way power was drawn by the ALU during encryption and decryption, a weakness which was funnilly enough also defeated by adding noise in the form of junk operations).
It’s all pretty obvious, really ;)
I just think VPNs are over hyped. At the end of the day if someone is monitoring both sides it was game over a long time ago. Also there is no way to know what is on the other side of a VPN.
What would be interesting is a paid I2P or Tor exit proxy.
Oh yeah, people thinking that VPNs are the end-all of Privacy and Security against eavesdropping in the Internet aren’t really informed enough to understand that there are quite a lot more attack vectors than just a person’s IP address.
That said no-logging VPNs do remove one from the “low lying fruit” category for things like legal companies sending “gimme money because we detected you infringing our copyright” letters to people doing file sharing using things such as bittorrent. This is because they remove the easy way for such companies to get a person’s information when detecting file sharing from a specific IP address: one thing is getting the target by a process as simple as sending an e-mail to a local ISP demanding the identification of a user using a certain IP at a certain time due to copyright infringement (using the laws made for just that purpose during the last couple of decades in several countries), a whole different ball game is to first having to get a Court Order in an altogether different jurisdiction to force the VPN provider to install some kind of wiretap-equivalent to catch such a user at a later time for a case of Copyright Infringement - it costs way too much, takes way too much time and has way too much risk of being laughed out of court (methaphorically speaking) to be worth it for a case of non-commercial Copyright Infringement, especially if there is an overabundance of easier targets.
As with everything else in this world, VPNs are good tools for certain jobs, not some kind of silver bullet for Privacy and Security against eavesdropping.
Very well written!
Tor is much better than a VPN privacy wise. However, you are limited on speed and stuck with TCP.
