[spxneo]

toy with me for a bit, couldn't Mullvad be another "Encrochat" in the making?

Encrochat was similarly marketed as absolutely trustable complete with experts covering "we fixed this vulnerability/exploit and you can trust us" vibes (https://www.manchestereveningnews.co.uk/news/uk-news/dads-se...)

Isn't Mullvad the same thing?

Do you really think they would allow terrorists like Hamas use Mullvad to coordinate attacks? Coincidentally, Hamas does not trust any sort of VPN, opting for underground land lines.

[maxo133]

This is a good point. It doesn't have to be Mullvad but it's almost guaranteed based on what we've seen in the history (see CIA + swiss crypto company) that some of the major VPN providers are managed by intelligence agencies. Either VPN companies were bought via shell companies after reaching certain market share or they were even developed from the scratch.

[generalizations]

> Hamas does not trust any sort of VPN, opting for underground land lines.

I mean, duh. Like everyone always says around here, all bets are off when your threat model includes nation states.

Timing attacks, meta data, and total access to the internet backbones means it’s a reasonable bet that the Big Boys can track anything on the public internet, regardless of encryption or redirection. And if you’re Hamas, you’re probably on their radar.

[spxneo]

So your narrative is that they have complete access but choose not to act on anything they find on VPNs and other "privacy focused" tech?

Makes sense as there has been no cases involving terrorist using Mullvad and such.

So Mullvad is not good enough for terrorists but good enough for the rest? This makes no sense to me.

[throwing_away]

There's only two realistic possibilities with Mullvad:

If they are a state actor, then the goal would be to use the intelligence only for parallel construction in the most severe cases like terrorism.

If they are not a state actor, then the goal would be to be so private that if terrorists use it, nobody would ever know including themselves.

In both cases, we see the same result as the public until somebody leaks.

This means that you would be very unlikely to get busted using a state compromised VPN for torrenting movies, as that's typically a civil matter and would require additional data points for parallel construction to not reveal the compromised VPN.

But if you are involved in terrorism, then you should assume the VPN is compromised in a way that will make digging up additional secrets about your activities trivial and attributable to something besides the VPN that everyone is fine with (like dragnet service provider data).

[anonymousab]

> but choose not to act on anything they find on VPNs and other "privacy focused" tech?

Oh, they probably do act on it. For most things, I assume they use the intelligence they gather for parallel construction - if you know a fact about an adversary, it can make it easier to find other, more obvious (to that adversary) ways to "find" that information.

I'd imagine taking direct, obvious action on information gleaned from front and honeypot VPN services is probably only done for extreme cases i.e. an active threat to the country/administration/agency/allies.

[generalizations]

What’s not to understand? Nation states (read: their 3 letter agencies) probably don’t care if you’re torrenting movies.

[pavi2410]

What's the point for a terrorist certified VPN?