2y ago

Mullvad Annouce Removal Of All Disk Infrastructure - Now RAM Only

mullvad.net /en/blog/2023/9/20/we-have-successfully-completed-our-migration-to-ram-only-vpn-infrastructure/

Today we announce that we have completely removed all traces of disks being used by our VPN infrastructure!

Technology @lemmy.ml

Voyager @psychedelia.ink

2y ago

We have successfully completed our migration to RAM-only VPN infrastructure - Mullvad VPN

mullvad.net /en/blog/2023/9/20/we-have-successfully-completed-our-migration-to-ram-only-vpn-infrastructure/

Technology @lemmy.world

Voyager @psychedelia.ink

2y ago

We have successfully completed our migration to RAM-only VPN infrastructure - Mullvad VPN

mullvad.net /en/blog/2023/9/20/we-have-successfully-completed-our-migration-to-ram-only-vpn-infrastructure/

125 comments

Full article:
We have successfully completed our migration to RAM-only VPN infrastructure
20 September 2023 NEWS SYSTEM TRANSPARENCY
Today we announce that we have completely removed all traces of disks being used by our VPN infrastructure!
In early 2022 we announced the beginning of our migration to using diskless infrastructure with our bootloader known as “stboot”. Completing the transition to diskless infrastructure
Our VPN infrastructure has since been audited with this configuration twice (2023, 2022), and all future audits of our VPN servers will focus solely on RAM-only deployments.
All of our VPN servers continue to use our custom and extensively slimmed down Linux kernel, where we follow the mainline branch of kernel development. This has allowed us to pull in the latest version so that we can stay up to date with new features and performance improvements, as well as tune and completely remove unnecessary bloat in the kernel.
The result is that the operating system that we boot, prior to being deployed weighs in at just over 200MB. When servers are rebooted or provisioned for the first time, we can be safe in the knowledge that we get a freshly built kernel, no traces of any log files, and a fully patched OS.
It's a good day to be a Mullvad user. Switched over from Surfshark a while ago, and I love it.
- Is it noticeably faster than Surfshark for you?
  
  I haven't noticed a difference but this company is significantly more trust worthy IMO
  
  You don't use Mullvad for their performance, you use them for their insanely paranoid security and privacy practices.
  And for the record, I was never impressed with Surfshark speeds. I dropped them when they bundled a virus scanner into their VPN client, that's sketchy as hell. I don't want my VPN provider scanning my files.
  
  I never had any real issues with speed using Surfshark, the reason I made the switch was largely about trust. As another user said, as soon as I saw Surfshark start their YouTube advertising spree, and start to bloat their client with unnecessary features, I started looking for alternatives.
  I'm iffy about any VPN company that uses YouTuber marketing as it is, and while my threat model isn't overly paranoid, I believe the VPN company someone chooses to use should have paranoid business practices. After I saw the news on Mullvad's raid, the authorities subsequently finding nothing, and the fact that a user's account is merely a string of numbers, I decided it was the VPN for me.
  
  Mullvad compared to PIA, Google annoys me less with recaptures. I know it doesn't answer your question but thought I'd throw my 2 cents in since PIA was quite a popular choice with their YouTube sponsor slots and cheap prices
- no port forwarding. No business from me
  
  Why not host your own on-site VPN server if you want to be able to dial in/allow others to dial in?
Why is their logo a Mole when Mullvad is The Goat
Wow, that is very impressive. I've been a subscriber for a few years and I couldn't be happier with their service.
- Except with the removal of port forwarding
  
  That didn't effect me much personally and I could understand their reasoning. Still, it's understandable that it lead to some frustration among other users.
  
  Ah man, that was the one reason I was going to switch to them !!
  
  Someone in this thread mentioned that was abused so much that hosting providers cancelled them. So they needed to remove it to be able to continue to operate.
  
  I've been a subscriber for 5+ years and have zero issue with the loss of port forwarding. I use my devices for everything from gaming to torrenting, and haven't run into something cause a problem that required me to use port forwarding on mullvad.
  what has been an incredible source of frustration as a user of Mullvad tho is when websites block me or hit me with repeating captchas. I've also had a huge uptick of spam coming in from weird domains. Obviously not sure if thats mullvad-related, but sounds like the issue of "individuals have frequently used this feature to host undesirable content and malicious services from ports that are forwarded from our VPN servers".
  The removal of this feature seems to be a better of two difficult options.
- Der Zuhausi hat Geschmack!
Mullvad is good, definitely my go-to VPN these days.
I find the "Mullvad VPN scratch cards" interesting. If a store near you has them you could buy one and be totally anonymous. What I find a bit odd is that you can buy them on amazon as well but sold directly by mullvad. Doesn't that defeat the purpose? The idea of the card is a decoupling of your real identity from the vpn user but when you buy the card in their store doesn't it negate that?
I am probably just missing something here. Does anyone have more insight?
- The code on the card is covered so Amazon might know you use Mullvad but they have no way of knowing what your account is.
  Mullvad know your acct but they have no way of knowing how it is you paid other than maybe it being a scratchcard which they don't track anyway.
  
  I am not talking about amazon knowing it. Amazon offers shops for businesses, where a business directly sells goods to their customers using amazon as a transaction platform. Those shops send the goods directly to their customers (Sometimes it comes from an amazon warehouse as well tho). If the first case is true, mullvad would send me the card directly, so they would know I bought it, which makes the card obsolete in my view.
  But maybe they don't send it themself and the cards are all just sitting in a big warehouse. Either way, to me it's not 100% a given that they couldn't at least in theory know who bought it.
  I am just playing devils advocate here btw, I am not really concerned about it.
- Well amazon can tell youve bought a card
  But not which code you recieved, on the physical card..
- Better yet, they employ a guy you can find in an alley who has a bunch of redemption cards in his trench coat. He takes cash or crack.
  
  I think I'll stick with Monero...
- Probably not because they still dont know who bought that card since the scratch card is linked to the money but that card could be used by anyone. Nothing stop you from buying them and giving them to a friend
- Just use cash.
- Just use monero
- Well the biggest selling point of VPNs is easier piracy not privacy. Most VPN customers just want to protect themselves from anyone watching their downloading habits. Yeah technically there would be a trail but no one is going to follow it to catch someone downloading inception.
Interesting what’s going happening with mullvad. For the best part of 10’years, you hear nothing.
Does anyone know why they are recently noisy?
- Going by rate of blog posts by year they don't seem any noisier than usual. The opposite if anything. 18 this year and there's only 3 and a bit months left of the year whereas in 2018 they made 60.
- You are incorrect. Look through their blog archive (scroll to the bottom): https://mullvad.net/en/blog/
  They've been posting steadily for over a decade, maybe the posts just got more popular this year on whatever sites you browse
- They dropped port forwarding and likely lost a lot of business related to this. They are trying to compensate for the loss I think which is great.
- Noisy? Bit odd to call it that. Also, from my perception they were always present with regularly published news about how they improve or just update/change their service.
- Not sure what you mean, they've been posting fairly regular updates on software and infrastructure improvements and security audit responses on their blog for the entire time I've been a customer (6 years).
- They've been relatively quiet on their blogs actually, its just that its growing in popularity, so more people are talking about it.
  Imo what makes it so good is their pricing scheme. You put however much money you want in your account, and you get an equivalent amount of time. All you need is an account number, no email no contracts no hassle
- Mullvad was always the most straightforward privacy centric vpn with a very long and uneventful history.
  They used to offer port forwarding on top of all that. People use port forwarding to do torrents, run internet facing services from home, and share csam.
  The authorities could never go through mullvad to get the identities of csam users because of mullvads infrastructure (according to them it’s not stored so it’s impossible for a raid to turn up identifying data).
  The authorities switched tactics and convinced a bunch of websites, dns services and other stuff to block mullvads public facing IPs. For a while there in march or so you couldn’t browse shit from a mullvad ip.
  The goal was to force csam people on to other services that are softer targets for law enforcement.
  It worked. Mullvad dropped port forwarding and all the torrenters, selfhosters and csam traders left.
  Mullvad has been working to be a better vpn provider ever since because the raids themselves scare users off, the dropped services lost them some users and the awareness of international law enforcement cooperation scared some users off using vpn services in fourteen eyes countries (mullvad is in Sweden).
  At the time all this went down I only had mullvad but now I use another vpn for port forwarding and mullvad for everything that doesn’t need that.
Mullvad is such a good company. I just bought another month yesterday, but guess I'll go and add another year to that!
They're amazing. I don't torrent anymore so I'll definitely be renewing.
- What speaks against torrents with mullvad?
  
  No port forwarding.
Of only they'd kept port forwarding.
- Didn't really have a choice:
  ...Regrettably individuals have frequently used this feature to host undesirable content and malicious services from ports that are forwarded from our VPN servers. This has led to law enforcement contacting us, our IPs getting blacklisted, and hosting providers cancelling us.
  Blog post
  Big issue there is hosting providers cancelling them. Can't operate a business without that.
  
  Short of getting their own servers of course. This update seems to be a step forward in that direction
- Agreed. Seems like they were in a super tough spot with that and kind of had to drop it. All the sudden they seem to be doing some new cool stuff to try to keep their edge which I really appreciate / respect. That being said, I've dumped them and switched to a service that still port forwards as it gives me better torrenting throughput. Sorry Mullvad.
- Only reason I switched away :(
- Oh, they ditched it? I was about to switch from Windscribe but I need port forwarding for all sorts of stuff every day. Oh well :-(
From what I read in the article, there is still one part of the boot sequence that does require some sort of storage: the part where the bootloader fetches the network boot image and verifies it against the checksum signature. But I think that can be performed by booting from a pendrive and then removing it. The problem will come if law enforcement gets a hold of said pendrive...
- Why would that be a problem? A boot image should only contain the commands to get the main system started after POST. It shouldn't contain any kind of logs, traffic data, or user data. In fact it should be read-only.
- PXE boot will TFTP the boot image into RAM and carry on from there. You shouldn't need any storage on your device.
  
  I'm aware of PXE, but in order to do so you need either of:
  the boot image supplying server being in the same intranet as the rest of the other servers, or
  some sort of method to point the diskless server to the correct external IP address to listen to
  Since the first mode is probably too unsafe, that leaves us with the second mode. Either the operator memorizes a specific IP address and types it into the BIOS each time the server is rebooted, or the IP address (and possibly the checksum of the image) are stored in a single-use pendrive that the operator carries. I wonder which of these two methods is used in this case.
- Boot Drive could be immutable and not contain any form of log?
- Destroy the drive. That’s what Apple does and how they get around the whole “we need a backdoor” problem. When no one can access the server, no more problems.
  
  Something tells me that they have a stack of single-use drives so that each time a server needs to reboot for some reason, they write a boot loader in one from their central headquarters, walk back to the server room, use the device to boot the server, and finally hammer the everliving bejeezus out of the thumb drive juuuuust in case. Hopefully they don't have to reboot that often!
Interesting, will this affect performance at all?
- I think (disclaimer: not an expert at all) that RAM is much faster to access than a hard drive so if anything it should improve.
  
  Yea. Also a reboot is enough to wipe anything of the face of the globe. So I that can only improvement
  
  It will make no difference to the performance of a VPN; nothing that those nodes are doing is IO bound.
- It's unlikely to have any noticeable impact. This is more about verifiably and categorically not having any traces of logging or cached state.
  Both caching and logging should be independent of the direct usage performance anyway. And service startup happens only once - not during its usage.
How does this work? Surely they have backups on some kind of persistent media, right?
Doesnt Matter, if the police wants the data, they come with Auto Batteries and an usp and make User of the multiple Power supplies of modern servers.
They will carry the whole rack in one piece if they can.
Have they ever been audited like PIA?
- The article is five very short paragraphs. The third one is:
  Our VPN infrastructure has since been audited with this configuration twice (2023, 2022), and all future audits of our VPN servers will focus solely on RAM-only deployments.
- Few times, yeah. Last time was August this year
  
  Thank you, a real answer that compares to PIA
- Have you read the article?
  
  I did read the article. It does not state if the audit was internal or external "like PIA."
- Guys I know we all hate it when people don't read the article but did they really deserve the condescension and the down votes? They're dumb not evil.
  
  I wish votes were like how Reddit originally intended their voting system to be and still states it to be. Upvote if it's relevant and adds to the conversation, otherwise downvote. But people use it as an agree/disagree system.
  
  I did read the article. It does not state if the audit was internal or external "like PIA."
- Yeah they are pretty transparent about them. The audits will typically find security issues and potential privacy leaks like they ideally should so Mullvad can go and fix them.
So now all that needs to happen is a freak solar flare or electrical surge to completely destroy their business?
- Not at all. Of course their operating system has to be booted from some kind of solid state disk, but all actual operations are carried out in the RAM, meaning that nothing is ever written to the disk. Since the RAM is periodically overwritten and doesn't hold any data in case of a reboot or power failure, they are de-facto not logging a single thing.
  
  I believe the edge devices would use netboot, so they load the kernel and user land into RAM over a network and have no disk in them at all.
  Here’s hoping that image stays clean😉
- I think you’re misunderstanding.
- One big enough to fry running RAM, especially if they're using real servers with ECC: RAM that can fix data corruption.
  If a solar flare is frying server RAM, the power grid itself is going to be on fire. All of it.
- It'd turn the servers off obviously, but that'd be true if it was on disk or not. The source code is stored elsewhere probably on multiple data servers they access with git.
- It's a valid question, even if your scenario isn't plausible. The very point is that all data is ephemeral - there is no "data at rest" to be compromised. But the problem is that this data is very, very important. It would include (among other things) account information. If all of the servers power off simultaneously (for whatever reason), then yes, it would likely destroy them. More likely is a software fault that causes each system to crash, or lose/corrupt that data.
  But there are ways around this, too. I have no idea which (if any) of these they are doing, just that these are options. They already probably sync data among running servers, it will just now be done exclusively in RAM. They can have "seed" distributed servers, running an entirely different codebase, simply to house this data. They would also be diskless, but mostly unconnected to the standard operational servers. From an architecture and design standpoint, these would work a lot like disks.
  Distributed is also a key word - it wouldn't be a single server, rack, or even datacenter that would need to collapse. It would be to be all of them, or at least sever their connections to each other.
  (Side note: Going diskless addresses concerns about data security for data at rest. It does nothing about data in motion)
  TL;DR: Theoretically yes, but it would take a lot more than that.

125 comments