Comment by dongcarl

Comment by dongcarl 2 days ago

15 replies

View on Hacker News

(Carl from Obscura here)

Totally! Mullvad is _the_ pioneer in this space, and we look up to them. This is why they were our top pick for being an exit hop provider!

VladVladikoff 2 days ago

Hey Carl, sorry to hijack the thread but I have a question for you. Being the operator a small website (5M views/month, 200k users), I am often plagued by targeted cyber attacks. Over the years many of these come from privacy enhanced networks (eg Tor, Mullvad, etc). I have approached Mullvad many times with abusive user reports which they seem to simply ignore. How do you plan to address this in your product? Will you simply allow bad actors to abuse the internet via your service? Or do you have some plans to address this issue?

Reply View 13 replies
  • ziddoap 2 days ago

    If the abuse is serious enough, pursue legal avenues. Otherwise, these types of companies shouldn't be unmasking users based on a random persons assertion that someone is bad. That would be an abuse vector itself.

    Reply View 4 replies
    • VladVladikoff 2 days ago

      I am not asking them to. I am asking them to do a better job of bad actor detection and banning. Their current stance seems to be “ignore all packets, log nothing”. In my opinion they should be doing some amount of AI based abuse detection. This should be possible without violating user privacy.

      Reply View 3 replies
      • echoangle 2 days ago

        How would you get training data for the AI without logging packets?

        Reply View 0 replies
      • Technetium a day ago

        AI is not the answer for most things, but it's especially not the answer for this. Basic packet filtering is all there should ever be.

        Reply View 0 replies
      • [removed] 2 days ago
        [deleted]
        Reply View 0 replies
  • yjftsjthsd-h 2 days ago

    > I have approached Mullvad many times with abusive user reports which they seem to simply ignore.

    What would you like them to do? Considering that AIUI they outright don't log or monitor users at all, I can't think of anything they could do with your reports.

    Reply View 4 replies
    • VladVladikoff 2 days ago

      Yes that is the crux of the issue. However many times when I reported bad actors to Mullvad the attacks were multi day attacks that were ongoing. It would have been trivial for Mullvad to add a filter to check for future packets from that VPN ip to my server IP and flag the associated account. However I believe even this approach is far to manual and invasive. I think there would be a better way using AI to analyze abuse patterns, and automatically flag bad users which match these patterns.

      The issue is that VPN providers have zero motivation to do this, because a non-zero percentage of their user base is literally paying them BECAUSE they can use the service to attack other servers with a level of anonymity. If the VPN providers were to combat this issue it would negatively impact their revenue.

      Reply View 3 replies
      • yjftsjthsd-h 2 days ago

        > It would have been trivial for Mullvad to add a filter to check for future packets from that VPN ip to my server IP and flag the associated account.

        In other words, to break the fundamental premise of their product and identify traffic to a user.

        > I think there would be a better way using AI to analyze abuse patterns, and automatically flag bad users which match these patterns.

        Not without, again, creating an entire system which exists only to record traffic and tie it back to users.

        Basically, both of your suggestions amount to "stop providing the product that is their entire business model", because the whole point is that they go out of their way to avoid having the information that you want them to use.

        Reply View 1 reply
        • mmooss a day ago

          They don't have to tie it back to an individual, only to an account or, if they respond quickly enough, to a set of activities or traffic pattern.

          Reply View 0 replies
      • Imustaskforhelp 2 days ago

        Lets face it man , they can't do anything.

        they can't have AI detection or any other thing to help you. Simply put they can't help you. If they have to , then they aren't that private.

        And they are in the business of privacy.

        I wonder why threat actors are abusing your website ? I think you have also used cloudflare anti DDOS ? so the problem isn't DDOS , then what exactly is the problem ? are they signing up and abusing your free service or something like that ?

        Reply View 0 replies
  • dongcarl 2 days ago

    I can understand that concern, and I think in the future some version of [Privacy Pass](https://privacypass.github.io/) will allow for site operators to differentiate between normal vs. abusive users without relying on IP reputation (which is more unreliable anyway since CGNAT is a thing).

    Reply View 1 reply
    • VladVladikoff 2 days ago

      We typically don't ban IPs for the very reason mentioned here (CGNAT is a very real thing and we have many users who share IPs). However we do ban IP ranges associated with VPNs that we see an excessive amount of abuse from. I might be an outlier on the internet, but if you take the stance you have outlined above, that you will effectively do nothing to combat the level of abuse from your network, you inevitably hurt your honest users because some web services will be unavailable to them via your VPN.

      Reply View 0 replies
k1tanaka a day ago

As a long term user of Mullvad, I appreciate when new companies try to innovate on existing ones while acknowledging their value. While I have no interest in changing VPNs right now, I will keep an eye on Obscura. Hope you the best

Reply View 0 replies