Even if you have encrypted your traffic with a VPN (or the Tor Network), advanced traffic analysis is a growing threat against your privacy. Therefore, we now introduce DAITA.
Through constant packet sizes, random background traffic and data pattern distortion we are taking the first step in our battle against sophisticated traffic analysis.
The Chinese Great Firewall (GFW) has already been using machine learning to detect “illegal” traffics. The arms race is moving towards the Cyberpunk world where AIs are battling against an AI firewall.
You can conviniently block a whole instance from your account now, it reduces this kind of disagreement a lot.
Should you though?
I get it, it’s annoying, but the entire “let’s block people with opinions I don’t like” is probably the single source of pillerization and increased extremism on the internet.
If I’m not allowed to have a discussion or disagreement with you, and get kicked out instead, I’ll just go to places where they will talk with me and where it’s chock full of other idiots like me who are much more extreme and in our safety bubble we can all continue not beat the same dead horse and circle jerk and make eachother more extreme because there are no dissenting voices, there are no voices or reason and calm, there are no cooler heads around.
This entire moderation where we simply started dumping people with who we disagree has made the world a.much, much worse place.
Granted, it sucks to have to deal with crazies and extremists, but at least whilst they’re in the group we can all keep them grounded in reality.
One day those tankies people here keep talking about are going to show up.
One day.
I always check under my bed each night to make sure there’s no tankies.
After I blocked hexbear and similar instances I haven’t scene them which is nice. Occasionally I’ll see a Lemmy world one but that is pretty rare.
I have some first hand experience with this. Brand new XMPP server, never before seen by anyone in the world, blocked within about 12 hours. Wireguard VPN on AWS lasts for a few hours on some networks, more on others. Never longer than a few days though.
That’s one of the reasons why I love Mullvad, they actually care about their customers, not just about their bottom line
I wonder how much of a bottom line they actually have given how cheap their service is.
Mullvad is 5 bucks a month and never has promos.
Weigh that against Nord which often has a year for like 15 bucks…
But Mullvad is one of the few that actually seems to care about privacy.
Oh wow, I had no idea Nord could go that cheap. To me €5 a month felt really inexpensive.
I’m pretty sure they are profitable, considering they were founded in March of 2009. You can’t really run a company without profits for 14 years, right? Just routing network traffic isn’t that expensive after all. They are the only ones being honest about it, other VPNs charge way more because they only want to extract money from their customers.
Cheers. Network related stuff isn’t my forte so I really have no idea about the costs. I just figured that the moment you start adding a decent amount of users the costs will go up, and €5 seems like a really fair price.
If only they didn’t bend the knee to the five eyes and drop port forwarding
They got rid of port forwarding to improve the reputation of their IP ranges. That makes it less likely for Mullvad users to get blocked by CDNs like Cloudflare and Akamai when visiting websites. If you want port forwarding, just use AirVPN or rent a VPS and use that. Not sure what you’re talking about, but Mullvad is based in Sweden, which is not a part of the five eyes alliance. It’s a part of 14 eyes, but Sweden has very strong privacy laws, Mullvad even has an entire page about privacy legislation in Sweden: https://mullvad.net/en/help/swedish-legislation
They also have a page that explains how Sweden being part of the 14 eyes alliance doesn’t really affect Mullvad: https://mullvad.net/en/blog/5-9-or-14-eyes-your-vpn-actually-safe
Their office was also raided by prosecutors last year, and they weren’t able to seize any customer information, because Mullvad doesn’t store anything about their customers: https://mullvad.net/en/blog/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised https://mullvad.net/en/blog/update-the-swedish-authorities-answered-our-protocol-request
you don’t even have a “real” user account with them ffs. I think if they really wanted to fuck people over they’d have introduced mandatory email linked to accounts long ago
You could always tunnel a publicly routable IP address over your VPN… I.e. https://tunnelbroker.net/
Still waiting for Defense Against the AI Dark Arts to drop
No port forwarding really kills the utility though - I mainly use the VPN to do port forwarding (e.g. for video games, Plex, etc.) as my ISP is shit.
Like I’m not worried about state-level de-anonymisation, I just want to be able to share services remotely and have a minimum level of anonymity.
Port forwarding removed because hosting threatened to kick mullvad out. Lot of shit hosted through that. No hosting, no vpn, so needed to remove to continue operate.
Port forwarding means torrents. People using a VPN to torrent likely have much more traffic, especially those that seed (which is why they want port forwarding). Not enabling port forwarding means mullvlad can operate at a higher profit to cost ratio, and less risk.
That sounds strange given that Mullvad works fine for torrenting in my personal experience and even up to quite a good speed (it can use the full 200Mbps download speed from my ISP)
Also modern NAT will do deep packet inspection on common well known protocols to automatically adjust the port of your machine listed on any “here I am” protocol messages being sent out from your side to be an actual port on the VPN Router and to have an internal association of that port in the Router with the actual port in your machine so that connections of that port can be sent to your own machine and the actual port in it that are used.
It’s only the pure listenner services (such as webservers and e-mail servers) were the port is pre-defined by convention and not a variable one sent out on any “here I am message” that require explicitly configured port-forwarding on the VPN Router side, plus because the port is fixed by convention for each type of service (such as port 25 for SMTP and port 80 for HTTP), off all the clients connected by VPN to that VPN Router at any one time, only 1 will be able to get that specific port.
Someone else pointed out Tailscale; I’ve had luck with free tier VPS+WireGuard.
I have an Oracle one which has worked well. Downside is I did link my CC, because my account was getting deactivated due to inactivity (even using it as a VPN and nginx proxy for my self hosting wasn’t enough to keep it “active”). But I stay below the free allowance, so it doesn’t cost.
That said: as far as anonymity goes, it’s not the right tool. And I fully appreciate the irony of trying to self-host to get away from large corporations owning my data…and relying on Oracle to do so. But you can get a static IP and VPS for free, so that’s something.
I love these guys. Let’s see if somebody can just bootstrap the FOSS framework directly on TCP to work on the internet without a VPN. Fantastic project
Bootstrapping See the Application section specifically.
FOSS = Free/Open Source Software TCP = Transmission Control Protocol VPN = Virtual Private Network
These words mean a lot actually. Pretty basic terms when it comes to the internet.
Yes, the individual words have meanings, as words tend to do. Those words, in that order, form a NCIS, two people typing on the same keyboard, level word salad that has so little real world relevance that it tips soundly into the absurd.
I’m afraid just generating random traffic from your IP address won’t do anything against traffic flow analysis. Because most internet traffic is point to point, people who are interested in the flow, just follow the traffic moving between various points. So if you’re sending extra traffic to other random sites, it doesn’t interfere with point-to-point flow analysis.
In the context of a VPN, because all of your traffic is encrypted, you have to work harder to determine what traffic is going where. Because all traffic is going from your network to another virtual network. So an outside observer just sees the size and frequency of traffic but not the destinations. In this context since they don’t see the destinations, it makes sense to add random traffic flows, because that’ll obscure the signal that the observers are looking for.
Considering that VPNs are Point-to-point too (home->VPN), I was wondering if one could use DAITA with TCP directly instead of having to use a VPN. Imagine if TCP had DAITA baked in.
Even if you baked in variable packet size into TCP. It would be trivial for anybody monitoring network flow, to see you who you’re talking to. There would be no ambiguity.
The only reason this makes sense for a VPN, is there’s a lot of traffic bundled together, so a third party doesn’t actually know where your traffic flow is going.
Consider the example if you ran your own personal VPN endpoint. So you were the only user on the VPN. Even with randomized traffic flow injected into your VPN connection, it would be trivial for any third party who’s monitoring traffic flow to know that traffic is yours. Because you’re the only VPN connection talking to the VPN server. This thought experiment applies when you don’t have a VPN at all.
